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ABSTRACT 


The  proceedings  of  an  International  Workshop  held  at  the  National  Institute  of 
Standards  and  Technology  on  March  20,  21,  and  22,  1991  are  presented.  The  purpose 
of  the  Workshop  was  to  examine  new  developments  in  the  application  of  risk 
analysis  in  offshore  oil  and  gas  operations.  The  proceedings  include:  an 
executive  summary,  invited  papers  on  current  practice  in  the  United  States, 
Canada,  the  United  Kingdom,  and  Norway,  and  summary  reports  and  recommendations  of 
six  Working  Groups:  (1)  Experience  Data  Bases  and  Case  Study  Analyses;  (2)  Risk 
Management  Practices;  (3)  Structures:  Risk  and  Reliability  Issues;  (4)  Production 
Facilities;  (5)  Pipelines  and  Subsea  Systems;  and  (6)  Drilling  Operations.  Also 
included  are  Working  Group  theme  papers. 

Key  words:  Codes;  drilling  platforms;  gas  production;  marine  engineering;  ocean 
engineering;  offshore  platforms;  oil  production;  petroleum 
engineering;  regulations;  reliability;  risk  analysis;  shipping; 
standards . 
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EXECUTIVE  SUMMARY 


On  March  20,  21  and  22,  1991  an  International  Workshop  on  Reliability  of  Offshore 
Operations  was  held  at  the  National  Institute  of  Standards  and  Technology  (NIST) , 
Galthersburg,  Maryland,  USA.  The  Workshop  was  organized  by  NIST  and  sponsored  by 
the  Minerals  Mangement  Service,  U.S.  Department  of  the  Interior;  Canada  Oil  and 
Gas  Lands  Administration;  Offshore  Safety  Division,  Health  and  Safety  Executive, 
U.K.;  NIST;  and  the  American  Society  of  Civil  Engineers.  It  was  attended  by 
experts  from  the  petroleum  industry,  consulting  firms,  government  agencies,  and 
academic  and  research  institutions. 

The  purpose  of  the  Workshop  was  to  discuss  current  practice,  progress,  and  future 
directions  in  the  fields  of  risk  management  and  safety/reliability  analysis  of 
offshore  oil  and  gas  operations.  Recent  experience  and  case  studies  were 
emphasized. 

Invited  papers  on  the  safety  of  offshore  installations  and  operations  were 
presented  by  representatives  of  regulatory  agencies  in  Canada  and  the  U.K. ,  a 
U.S.  oil  company  and  a  U.K.  industry  group,  and  by  consulting  engineers  active 
in  the  United  States  and  Norway.  The  papers  included,  respectively:  , 

(1)  An  overview  of  the  Canada  Oil  and  Gas  Lands  Administration,  its 
mandate  and  responsibilities,  the  legislative  authority  under  which  it  has 
operated,  and  an  explanation  of  the  regulatory  process,  procedures  and 
requirements  it  has  formulated  and  implemented  to  provide  for  safety  and 
environmental  protection  for  offshore  oil  and  gas  operations  in  Canada. 

(2)  A  description  of  the  Offshore  Safety  Division,  Health  and  Safety 
Executive,  U.K. ;  a  discussion  of  the  Piper  Alpha  disaster;  a  discussion  of 
principles  of  risk  and  reliability  and  safety  management;  and 
considerations  on  the  application  of  these  principles  offshore. 

(3)  A  description  of  the  U.K.  Offshore  Industry's  response  to  Lord 
Cullen's  report  on  the  Piper  Alpha  disaster,  and  a  discussion  of  the 
centerpiece  of  the  new  U.K.  approach  to  offshore  safety,  the  Safety  Case. 

(4)  A  discussion  of  Chevron  Corporation's  efforts  in  risk  and  reliability 
management,   focused  on  Chevron's  operations  in  the  Gulf  of  Mexico. 

(5)  A  presentation  of  methods  for  characterizing  loads  and  structural 
capacity,  and  of  structural  reliability  methods  and  criteria,  in  the 
context  of  design  and  re-qualification  of  offshore  platforms. 

(6)  A  discussion  of  the  background  to  the  introduction  in  1981  of 
Norwegian  Regulatory  Guidelines  for  Concept  Safety  Evaluation,  and  of  the 
current  introduction  of  Norwegian  Regulations  for  the  Use  of  Risk  Analysis 
in  Petroleum  Activities;  and  a  discussion  of  the  developmenmt  of  safety 
studies  in  Norway  in  the  last  decade. 

In  preparation  for  the  Workshop  co-chairmen  and  core  groups  were  selected  for  six 
Working  Groups:  (1)  Experience  Data  Bases  and  Case  Study  Analyses;  (2)  Risk 
Management  Practices ;  (3)  Structures:  Risk  and  Reliability  Issues ;  (4)  Production 
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Facilities;  (5)  Pipelines  and  Subsea  Systems;  (6)  Drilling  Operations.  Each 
Workshop  participant  joined  the  Working  Group  of  her/his  choice.  The  Working 
Groups  discussed,  in  parallel  sessions,  preliminary  reports  prepared  by  the  co- 
chairmen  on  the  following  issues:  state  of  practice;  problem  areas;  data 
acquisition  and  research  needs;  and  opportunities  for  implementation  and 
application.  The  Workshop  Proceedings  include  final  Working  Group  reports.  These 
were  prepared  by  the  co-chairmen  on  the  basis  of  the  preliminary  reports  and  the 
Working  Group  discussions.  In  the  interest  of  time  the  final  reports  were  not 
circulated  to  and  reviewed  by  all  Working  Group  participants;  for  this  reason 
they  should  not  necessarily  be  viewed  as  a  definitive  expression  of  all 
participants'  views.  The  reports  are  summarized  below. 

Working  Group  #1.   EXPERIENCE  DATABASES  AND  CASE  STUDY  ANALYSES 

The  scope  of  this  Working  Group  was  defined  as  reviewing  the  potential  use  of 
existing  offshore  reliability  and  accident  databases,  establishing  requirements 
and  needs  for  future  databases,  and  determining  ways  in  which  greater  industry 
participation  and  acceptance  can  be  accomplished.  In  addition  to  the  preliminary 
report  by  the  co-chairmen,  the  Working  Group  based  its  discussions  on  three  theme 
papers.  The  first  theme  paper,  presented  by  R.  Visser  and  entitled  "Offshore 
Accidents  —  Lessons  to  Be  Learned,"  reviewed  major  accidents  that  had  a  major 
influence  on  practices  concerned  with  reliability  of  offshore  operations.  The 
second  paper,  presented  by  T.  Gjerstad  and  entitled  "Brief  Review  of  the  Oreda 
Project,"  discussed  the  results  from  the  ongoing  Oreda  reliability  data 
collection  project.  The  third  paper,  also  presented  by  T.  Gjerstad  and  entitled 
"Data  Collection  of  Hydrocarbon  Leaks  and  Ignitions  —  The  E&P  Forum  Approach," 
discussed  the  planned  approach  for  a  new  data  collection  project  by  the  E&P 
Forum.  The  three  theme  papers  are  included  in  the  Workshop  Proceedings. 

State  of  Practice.  Experience  databases  are  currently  collected  both  by 
government  agencies,  which  can  ensure  that  the  data  collection  is  complete  and 
from  all  operators,  and  by  industry,  which  normally  limits  use  of  the  data  to 
participating  companies  and  can  direct  data  collection  efforts  on  specific 
objectives  of  interest  to  participants. 

Accident  databases  are  maintained  by  the  Minerals  Management  Service  for  federal 
waters  in  the  Gulf  of  Mexico,  the  Institut  Francais  du  Petrole  for  accidents 
worldwide,  and  by  various  individual  companies  for  specialized  statistics  (e.g. , 
mobile  drilling  unit  failures,   offshore  worker  fatalities). 

Accident  frequency  databases  (i.e,  accident  databases  tied  to  population  data) 
are  maintained  worldwide  by  Veritec. 

Equipment  reliability  databases  include  the  Oreda  program,  which  now  has  several 
European  and  two  U.S.  participants,  and  the  E&P  Forum,  the  objectives  of  which 
are  to  develop  data  collection  guidelines  for  hydrocarbon  leak  and  emission 
events,   and  to  set  up  an  initial  database  of  release  data. 

Structural  platform  inspection  data  have  been  collected  by  the  Minerals 
Management  Service  since  1988,  when  reporting  of  the  structural  condition  of  the 
some  3700  platforms   in  the  Gulf  of  Mexico  became  mandatory.    (Inspections  are 
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required  every  5  years . ) 


Problem  Areas.  One  possible  problem  is  the  misuse  of  information  through 
misinterpretion,  which  could  lead  to  favoring  certain  technological  solutions  or 
products,  rather  than  seeking  their  improvement.  A  second  problem  is  the 
restriction  of  data  use  to  participating  companies,  as  in  the  case  of  the  Oreda 
data;  without  such  restrictions  those  companies  would  normally  not  be  prepared 
to  engage  in  the  data  collection.  A  third  problem  is  the  lack  of  a  standard 
methodology  for  data  collection.  A  fourth  problem  is  the  possible  misuse  of  data 
in  liability  court  cases,  especially  in  the  United  States.  It  was  noted,  however, 
that  such  legal  difficulties  do  not  appear  to  have  arisen  in  the  airline 
industry,  which  maintains  extensive  equipment  failure  databases. 

Research  Needs.  To  show  the  usefulness  of  data  collection  case  analyses  should 
be  performed.  These  should  use  the  data  not  only  for  quantitative  risk  estimates, 
but  also  to  compare  possible  solutions  to  various  safety  problems  in  offshore 
operations.  As  far  as  the  Minerals  Management  Service  events  file  is  concerned, 
it  would  be  worthwhile  tying  the  data  in  with  population  data.  Since  many 
databases  exist  that  are  not  widely  known,  a  directory  of  available  databases 
should  be  compiled.  When  the  E&P  Forum  database  becomes  available,  its  data 
should  be  calibrated  and  checked  against  Minerals  Management  Service  events  file 
data.  Advantages  of  Oreda  membership  expansion  should  be  considered.  There  is  a 
need  to  separate  clearly  in  databases  those  accidents  due  to  organizational 
causes  from  those  due  to  human  error.  Outside  technical  audits  should  be 
considered.  These  would  concentrate  on  platform  safety  and  life  safety  problems, 
reviewing  systems,  training  and  so  forth,  and  would  report  to  the  highest 
management  levels.  A  data  collection  conference  that  would  seek  to  establish  data 
collection  standards  could  be  useful. 

Implementation  and  Application.  An  illustrative  example  was  outlined  of  the 
possible  implementation  and  application  of  databases  in  an  offshore  production 
organization.  In  that  example  data  on  release  events  and  safety  system  failures 
were  used  in  conjunction  with  fault  trees  to  define  frequencies  of  scenarios  that 
could  cause  fatalities  in  safe  haven  facilities. 


Working  Group  #2.  RISK  MANAGEMENT  PRACTICES 

The  purpose  of  this  Working  Group  was  to  review  principles  and  practices  of  risk 
management  in  the  regulation  of  the  offshore  oil  and  gas  industry.  The  Working 
Group  noted  the  significant  progress  made  in  the  last  decade  in  risk  assessment 
and  risk  management  practices.  The  Working  Group  report  incorporates  material 
from  a  theme  paper  presented  by  J .  E.  Vinnem  and  is  based,  in  addition,  on 
discussions  by  Working  Group  participants. 

State  of  Practice.  The  report  emphasizes  the  state  of  practice  in  Norway,  the 
first  country  to  adopt  risk  management  principles  in  the  regulation  of  offshore 
operations.  In  Norway  the  certifying  authority  operates  on  behalf  of  the 
government.  Formerly,  acceptance  criteria  were  issued  by  the  Norwegian  Petroleum 
Directorate  (NPD) .  More  recently,  regulation  requires  operators  to  set  their  own 
long  term  safety  goals,  rather  than  imposing  a  10~^/year  criterion  under  all 
circumstances.   The  primary  objective  of  risk  assessments  during  planning  and 
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design  is  the  identification  of  Design  Accidental  Events  (DAE),  that  is,  events 
that  the  platform  should  be  designed  to  sustain.  Estimates  are  then  made  of  the 
frequencies  of  Residual  Accidental  Events  (RAE) ,  i.e.,  events  that  the  platform 
is  assumed  not  to  be  capable  of  sustaining.  These  frequencies  should  be  compared 
with  the  10~^/year  cut-off  limit  per  safety  function  and  for  each  hazard  type. 
The  Concept  Safety  Evaluation  (CSE)  was  formally  required  as  of  September  1,  1981 
for  production  installations  on  the  Norwegian  Continental  Shelf.  Accident 
scenarios  are  identified  by  taking  into  account  possible  initiating  events, 
possible  failures  of  safety  systems,  and  environmental  conditions.  DAE's  are 
identified  from  among  these  scenarios.  The  1981  Guidelines  specify  six  DAE 
requirements,  including  the  requirement  that  personnel  outside  the  immediate 
vicinity  not  be  injured,  and  that  safe  evacuation  be  possible.  The  use  of 
Probabilistic  Risk  Assessment  (PRA)  techniques  is  viewed  as  an  indispensable 
element  in  the  implementation  of  the  risk  management  approach  inherent  in 
Norwegian  practice. 

Brief  sections  are  devoted  to  practice  in  the  United  Kingdom  and  the  United 
States.  In  the  U.K.,  the  Safety  Case  requirement,  recommended  by  the  Cullen 
Report  following  the  Piper  Alpha  disaster,  dominates  the  approach  to  risk 
management.  Its  main  feature  is  that  the  approval  of  safety  is  based  on  dedicated 
assessment  of  the  specific  conditions  on  each  installation,  rather  than  on 
meeting  prescriptive  standards  or  guidelines.  The  Safety  Management  System  (SMS) 
should  include  a  quantified  risk  analysis  assessment,  a  fire  risk  analysis,  and 
an  evacuation,  escape  and  rescue  analysis.  Regular  audits  are  recommended,  to  be 
performed  internally  by  the  operator  and  by  the  regulatory  body.  In  the  United 
States  risk  assessment  and  risk  management  techniques  are  just  beginning  to  be 
used.  A  recent  application  is  the  Methodology  for  Comparison  of  Alternate 
Platform  Systems  (MCAPS). 

The  application  of  risk  management  principles  to  offshore  operations  is 
illustrated  in  the  report  by  a  case  study  analysis  of  a  recent  development 
project  on  the  Norwegian  Outer  Continental  Shelf. 

Problem  Areas.  Lack  of  data  remains  a  main  obstacle  in  the  efficient  use  of  risk 
management  techniques.  In  Norway  risk  assessments  are  not  used  for  verification 
of  safety  levels,  but  rather  as  a  design  tool.  The  possible  fear  on  the  part  of 
industry  that  risk  assessment  tools  could  be  used  to  require  "proof"  of  an 
acceptably  low  risk  level  may  inhibit  their  use.  Thus  it  is  necessary  to 
emphasize  that  the  process  of  risk  assessment,  rather  than  a  set  of  numerical 
results,  is  of  primary  significance.  Results  should  be  viewed  in  a  notional 
probability,  rather  than  in  an  actuarial,  sense.  Finally,  "exactness"  in  the 
physical  model  should  not  be  carried  too  far,  since  it  could  render  the  analysis 
prohibitive  without  achieving  significant  improvements  in  the  results. 

Research  Needs.  Research  is  suggested  on  the  expanded  utilization  of  PRA  for 
Cost/Risk/Benefit  Assessments.  The  development  of  appropriate  software  also 
warrants  additional  effort.  Continued  attention  should  be  given  to  the 
integration  of  risk  assessment  into  the  design  process,  keeping  in  mind  that  the 
risk  assessment  process  itself  has  the  highest  value,  while  analytic  (numerical) 
results  are  usually  of  minor  importance;  and  that  risk  assessments  can  be  used 
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without  creating  significant  controversies.  It  is  suggested  that  PRAs  are 
potentially  useful  in  the  context  of  life  cycle  cost  optimization.  Research  is 
also  warranted  on  integration  of  PRA's  into  operational  planning,  including 
maintenance  and  inspection  planning  and  specification  of  equipment  standards. 
Research  is  needed  on  the  physical  modeling  of  certain  fire  and  explosion 
scenarios,  and  for  the  failure  mechanisms  of  novel  systems,  e.g.,  flexible 
pipelines.  Also  needed  are  data  on  the  reliability  of  safety  systems,  leaks,  and 
ignition  of  oil  and  gas. 

Implementation  and  Application.  Major  opportunities  for  implementation  and 
application  of  risk  management  techniques  include  studies  for  the  upgrading  of 
first  generation  platforms,  and  studies  of  platforms  in  deeper  waters. 


Working  Group  #3.   STRUCTURES:  RISK  AND  RELIABILITY  ISSUES 

For  the  sake  of  efficiency,  the  discussions  were  focused  around  the  following 
four  issues:  (1)  Reassessment  of  Steel  Jackets;  (2)  Optimization  of  Inspection, 
Maintenance  and  Repair;  (3)  Risk  Management  of  Novel/High  Consequence  Systems; 
and  (4)  Design:  Reliability-based  Design,  Design  Norms  (Standards) ,  and  Life- 
Cycle  Design  Optimization. 

State  of  Practice.  First  generation  structural-mechanical  and  structural 
reliability  tools  are  available  for  use  in  the  reassessment  of  steel  jackets,  but 
there  is  no  consensus  on  how  to  use  the  results  in  decision  making. 

Reliability-based  methods  applicable  to  individual  members  have  been  developed 
and  used  successfully  for  inspection  planning.  Recent  advances  have  coupled  these 
member-oriented  analyses  with  multiple  deterministic  push-over  studies  to 
identify  the  more  critical  members  for  inspection  focus.  Inspection  was  felt  to 
be  pertinent  primarily  to  platform  reassessment;  for  new  platforms  the  first  line 
of  defense  should  not  be  inspection,  but  design  allowing  for  sufficiently  long 
fatigue  lives. 

The  acceptance  by  industry  and  the  likelihood  of  performing  risk  analyses  of 
novel  and/or  high  consequence  systems  have  improved  since  1984.  However  only 
relatively  few  operators  and  contractors  have  the  requisite  expertise;  the 
receptivity  to  risk  analyses  on  the  part  of  regulators  varies  geographically;  and 
there  is  a  lack  of  standardized  guidelines  for  decision  making  based  on  risk 
analyses.  These  factors,  among  others,  still  limit  the  application  of 
risk/reliability  analyses. 


■"^Some  practitioners  believe  that  safety  decisions  based  on  Probabilistic 
Risk  Assessments  (PRAs)  are  not  significantly  affected  by  uncertainties  in  the 
probability  distributions  used  in  the  PRAs.  However,  there  are  indications  that 
this  belief  is  not  warranted  in  general,  even  if  PRA  results  are  used  in  a 
notional  and  relative  sense.  The  possible  effect  of  such  uncertainties  on  various 
types  of  safety  decisions  should  therefore  be  viewed  as  an  important  research 
topic.  (Editor's  note.) 
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Much  progress  has  been  made  since  1984  in  the  areas  of  reliability-based  design, 
design  norms,  and  life-cycle  optimization.  Reliability-based  design  norms  with 
deterministic  format  (e.g.  ,  LRFD)  are  now  being  routinely  developed  in  many  parts 
of  the  world  for  various  types  of  structure,  including  conventional  jackets.  A 
similar  development  is  under  way  for  tension  leg  platforms.  Direct  reliability- 
based  design  is  feasible  computationally  if  standard  assumptions  are  used  on  the 
pertinent  probability  distributions.  Interest  on  the  part  of  industry  would  be 
needed  for  this  capability  to  develop.  This  is  also  true  of  full-life-cycle, 
cost-risk  benefit  optimized  designs. 

Problem  Areas.  Push-over  analyses  appear  not  to  provide  a  realistic  basis  for 
estimating  reserve  strength  ratios  for  platform  reassessment  purposes.  Work  is 
needed  to  correct  this  state  of  affairs.  In  particular,  this  is  true  for  damaged 
structures/members.  Advanced  analysis  approaches  (e.g.  ,  nonlinear  finite  elements 
analyses)  are  available  to  help  in  this  regard. 

Difficulties  still  remain  with  regard  to  assessing  correctly  (a)  the  probability 
of  detecting  defects  given  a  particular  device/operator  combination  and  (b)  the 
probability  of  sizing  defects  correctly.  Probabilistic  tools  for  inspection 
planning  developed  in  Norway  are  based  on  various  assumptions,  such  as  initial 
flaw  size,  that  need  careful  scrutiny.  These  tools  require  extensive  efforts  to 
produce  requisite  input  data  (e.g.,  structure— wide  fatigue  analyses).  Finally, 
to  date  no  adequate  procedures  for  planning  inspection  appear  to  have  been 
devised  that  account  for  such  needs  as  marine  growth  or  damage  due  to  dropped 
objects. 

Mechanisms  for  analyzing  the  uncertainties  inherent  in  probabilistic  assessments 
for  novel  types  of  structures  are  not  widely  agreed  upon.  Problems  also  exist 
with  regard  to  the  definition  of  target  failure  probabilities.  The  whole  area  of 
probabilistic  design  and  assessment  for  novel  types  of  structures  is  still  in  its 
infancy. 

Where  probability-based  methods  exist  (e.g.,  for  jacket  platforms),  there  are 
wide  discrepancies  between  approaches  existing  in  different  countries.  This 
entails  potentially  difficult  code  calibration  issues.  The  state  of  the  art  is 
still  insufficiently  developed  in  the  area  of  reliability-based  foundation 
design. 

Although  reliability-based  codes  are  beginning  to  emerge  for  jack-up  platforms 
and  tension  leg  platforms,  these  are  not  usable  in  practice  owing  to  calibration 
difficulties . 

Design  for  ice  forces  in  the  Arctic  is  well  suited  for  probabilistic  treatment, 
but  developing  adequate  models  and  databases  remains  a  formidable  task. 

Life-cycle  design  optimization  appears  to  be  an  unattainable  goal  at  present 
owing  to  unavailability  of  sufficient  probabilistic  information.  However,  use  of 
probabilistic  methods  for  specific  limited  goals  appears  to  be  feasible  in  some 
cases  (e.g.,   limiting  downside  risk  if  extended  use  is  required). 

Research  Needs .  These  include:  the  establishment  of  agreed  methods  for  performing 
system    reliability    analysis    of    complex    or    novel    structural    types    and  of 
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foundations;  the  development  of  acceptable  methods  for  describing  (a)  joint 
occurrence  of  environmental  loads  and  (b)  uncertainties  in  all  probabilistic 
estimates  of  concern;  development  of  philosophies  for  setting  performance  goals 
and  acceptance  criteria;  development  of  methods  for  transferring  reliability 
analysis  methods. 

For  jacket  reassessment/re— qualification,  it  is  necessary  to:  establish 
performance  goals  for  reserve  strength,  robustness,  consequences,  ductility; 
develop  techniques  for  assessing  realistically  material  characteristics  in  an 
existing  jacket  (e.g.,  toughness,  yield);  model  potential  occurrence  of 
sequential  near  failure  loads  and  the  resultant  low— cycle  degradation;  evaluate 
repair  techniques  and  their  probabilistic  implications;  establish  agreement  on 
approaches  to  analyzing  and  defining  ultimate  capacities  of  structures, 
particularly  under  earthquake  loading;  develop  methods  for  estimating  reserve 
strength  ratios  from  push-over  analysis;  collating  databases  for  use  in  public 
domain. 

For  optimal  inspection,  maintenance  and  repair  planning,  it  is  necessary  to 
develop:  methods  for  quantifying  probability  of  detection  and  correct  sizing  of 
defects;  inspection  planning  tools  linked  to  importance/criticality  of  component 
to  be  inspected;  and  approaches  to  foundation  condition  inspection  and 
assessment . 

For  risk  management  of  novel  and/or  high  consequence  systems,  research  is  needed 
on:  establishing  relevant  failure  modes;  developing  system  reliability  tools  to 
investigate  sensitivity  of  overall  reliability  to  failure  modes  that  may  be 
overlooked;  assessment  of  human  error  effects  during  design  and  effects  of 
accidental  loads;  incorporating  uncertainties  in  system  reliability  analyses; 
establishing  target  risk  levels  that  account  for  modeling  uncertainties  and 
damage  tolerance  measures;  assessment  of  installation  risks;  establishing 
rationale  for  specifying  environmental  design  criteria  (e.g.,  100-year,  1,000- 
year  or  10,000-year  load)  and  design  factors;  modeling  of  load  effect 
combinations . 

For  reliability-based  design,  research  is  needed  on:  allowance  to  be  made  in 
codes  for  modeling  errors;  development  of  a  code  format  for  compliant/dynamic 
platforms;  combinations  of  environmental  effects  for  compliant/dynamic  platforms; 
system  redundancy/robustness  factors  in  design  codes;  split-factor  code  design 
for  foundation  systems  and  for  seismic  loadings;  probabilistic  modeling  of  ice 
forces  in  the  Arctic;  approaches  to  limit  "downside  risk"  following  from  decision 
to  extend  platform  use;  development  of  commonly  agreed  paradigms  for  developing 
reliability— based  design  codes. 

Opportunities  for  Implementation.  Probabilistic  tools  are  already  available  for 
use  in  areas  where  the  needs  listed  earlier  exist.  There  are  opportunities  for 
implementation  in  each  of  these  areas,  provided  that  current  impediments  are 
overcome.  To  achieve  this,  the  following  are  needed:  firmer  guidance  in  use  of 
risk  analysis  results,  broader  dissemination  of  expertise  and,  when  warranted, 
explaining  to  managers/regulators  the  need  for  and  advantages  of  a  probabilistic 
approach . 
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Working  Group  #4.   PRODUCTION  FACILITIES 


In  addition  to  the  preliminary  Working  Group  report  by  the  co-chairmen,  brief 
reports  were  presented  on  the  following  topics: 

(1)  Arco  practice  for  installations  in  the  Gulf  of  Mexico  and  in  the  U.K. 

(2)  Exxon  practice  for  platforms  in  Australia 

(3)  Mobil  practice  for  platforms  in  Nigeria 

(4)  Perspectives  of  a  small  operator  in  the  Gulf  of  Mexico,  presented  by 

Paragon  Engineering 

(5)  Shell  Oil  practice  for  Gulf  of  Mexico  installations 

The  discussions  were  focused  on  risk  analysis.  Although  the  participants  kept  in 
mind  the  general  framework  proposed  for  Working  Group  discussions,  it  was  found 
more  effective  to  organize  the  report  around  the  following  questions: 

Do  We  Need  to  Adopt  More  Formal  Risk  Assessment  Technologies  for  Offshore 
Production  Facilities  Design  and  Operation?  It  was  noted  that  the  application  of 
risk  assessments  have  been  found  useful  both  by  authorities  and  oil  companies. 
Simplified  assessments  are  adequate  where  great  detail  and  accuracy  are  not 
needed.  The  practice  of  risk  assessment  has  been  established  in  areas  with  much 
larger  and  more  complex  platforms  than,  e.g.,  in  the  Gulf  of  Mexico.  Risk 
assessments  can  in  some  instances  be  useful  even  if  they  provide  only  qualitative 
information.  Risk  assessments  may  not  be  necessary  for  facilities  that  are 
similar  to  other  facilities  for  which  assessments  have  already  been  made,  or  for 
small  and  simple  platforms. 

Do  We  Need  a  Safety  Case  Similar  to  that  Proposed  by  Lord  Cullen  for  the  British 
Offshore  Industry?  The  Safety  Case  must  demonstrate  that  the  company's  Safety 
Management  System  (SMS)  and  the  installations  are  adequate  for  design  and 
operation.  The  Working  Group  concluded  that  SMS's  are  needed  and  that  API  RP  750 
provides  adequate  recommendations  for  such  systems.  Preparation  of  a  Safety  Case 
exactly  as  proposed  by  the  Cullen  Report  is  deemed  not  to  be  generally  necessary. 

What  Techniques  Should  be  Used  to  Identify  Hazards  in  Offshore  Facilities?  No 

technique  is  a  substitute  for  experience.  Hazard  identification  requires  proper 
definition  and  subdivision  of  facilities  and  activities.  No  hazard  should  be 
omitted  because  a  part  of  a  system  was  not  considered,  and  no  hazard  should  be 
counted  twice.  Typical  techniques  include  Hazard  and  Operability  Studies 
(HAZOP's),  use  of  checklists,  failure  mode  and  effects  analysis,  and  searches  for 
possible  unwanted  energy  releases.  HAZOP's  and  checklists  have  the  advantage  of 
facilitating  the  involvement  of  designers  and  operation  personnel  into  the  risk 
analysis,  but  for  new  types  of  applications  some  appropriate  guide-words  may  be 
missing  and  would  have  to  be  added.  None  of  the  techniques  listed  guarantees 
identification  of  all  hazards,  which  requires  a  combination  of  techniques 
supplemented  by  experience  and  judgement. 

What  Tools  Are  Best  Suited  to  Perform  Consequence  Analyses?    Such  tools  include. 
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e.g.,  finite  element  capabilities,  software,  and  so  forth.  To  assist  the  risk 
analyst  a  system  of  certification  of  such  tools  —  especially  software  —  would 
be  needed.  Databases  are  needed  for  selected  equipment  which  is  common  to  most 
platforms  and  which  is  vital  for  safety.  Better  data  are  also  needed  on  the 
reliability  of  human  interventions  and  reactions  in  critical  situations. 

Should  Frequencies  of  Incidents  be  Part  of  a  Risk  Assessment  or  a  Safety  Case? 

The  analysis  need  not  include  detailed  quantitative  information  on  frequencies 
if  decisions  on  alternatives  do  not  require  it.  The  Working  Group  was  not  in  full 
agreement  as  to  what  this  means  in  practice. 

\fhat  Type  of  Risk  Acceptance  Criteria  Should  be  Used?  The  Working  Group  concluded 
that  acceptance  criteria  should  preferably  be  qualitative.  However,  in  cases 
where  Quantified  Risk  Analyses  have  to  be  used,  the  criteria  should  be  in  the 
form  of  maximum  allowable  probability  for  loss  of  specified  safety  functions. 

Should  Regulations,  including  Risk  Acceptance  Criteria,  be  Prescriptive  or 
Performance  Oriented?  In  practice  offshore  regulations  are  basically 
prescriptive,  but  some  classification  societies  accept  the  "equivalent  safety 
principle,"  which  allows  deviations  from  prescriptive  rules.  The  Working  Group 
concluded  that  prescriptive  regulations  are  desirable  for  simple  platforms  in 
well  known  environments;  performance  oriented  regulations  may  be  desirable  in 
more  complex  situations;  and  the  "equivalent  safety  principle"  should  always  be 
included. 

What  Resources  Should  be  Provided  to  Enhance  Process  Safety,  and  Which 
Organizations  Should  Take  the  Lead  in  Providing  Them?  Industry  should  cooperate 
to  develop  risk  management  and  design  guidelines  on  various  aspects  of  design, 
operations,  and  hazard  identification;  failure  rate  databases  on  about  25  types 
of  offshore  production  equipment  and  on  human  errors;  structural  design 
guidelines  for  accidental  loading  due  to  fire  and  explosion;  exchange  of  accident 
data  for  production  facilities;  and  better  quality  databases  covering  a  broader 
range  of  accident  severity.  Industry  and  government  agencies  should  cooperate  to 
develop  and/or  accept  models  and  corresponding  parameters  for  use  in  accident 
consequence  assessments. 

Conclusions.  Formal  risk  assessments  may  enhance  the  reliability  of  offshore 
facilities.  However,  preparation  of  a  safety  case  on  the  model  proposed  by  Lord 
Cullen  was  deemed  unnecessary  for  facilities  installed  in  the  open  atmosphere. 
Factors  that  influence  the  need  for  formal  risk  assessment  include  confinement 
within  modules,   and  density  of  obstacles  and  of  potential  sources  of  release. 

Working  Group  #5.  PIPELINES  AND  SUBSEA  SYSTEMS 

The  discussions  were  based  in  large  part  on  recommendations  of  a  report  on  this 
theme  included  in  the  Proceedings  of  the  1984  International  Workshop  on 
Application  of  Risk  Analysis  to  Offshore  Oil  and  Gas  Operations  held  at  the 
National  Bureau  of  Standards,  Gaithersburg,  Maryland. 

State  of  Practice.  Different  techniques  are  generally  used  for  subsea  systems  on 
the  one  hand  and  for  pipelines  on  the  other.  Techniques  used  for  subsea  systems 
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include:  (i)  Failure  Mode  and  Hazard  Identification  Techniques  (e.g.,  Check 
Lists;  Failure  Mode  and  Effects  Criticality  Analysis  (FMECA) ;  and  Hazard  and 
Operability  Studies  (HAZOPs));  (ii)  System  Evaluation  Methods  (e.g.,  Fault  Trees; 
Event  Trees;  Network  Analysis;  Parts  Counts/Parts  Stress  Method;  Availability 
Modeling;  Dropped  Object  Risk  Assessments).  For  pipelines  industry  generally 
relies  for  safety  on  pipeline  design  standards.  Internal  and  external  inspection 
are  used  to  remove  doubts  on  the  condition  of  a  pipeline. 

Problem  Areas .  For  subsea  systems  hardware  the  need  exists  for  definitive  failure 
rate  data  for  components;  however,  data  on  causes  of  failure  do  not  appear  to  be 
necessary  at  this  time.  Current  reliability  prediction  techniques  at  a  systems 
level  were  viewed  as  adequate.  Development  of  techniques  for  prediction  of 
component  reliability  from  first  principles  was  considered  impractical  and 
largely  unnecessary.  However,  methods  for  relating  component  reliability  to 
design,  quality  assurance,  or  manufacturing  practice  would  be  useful  to  component 
manufacturers  and  for  reliability  specifications.  For  subsea  operations  the  need 
for  and  the  benefits  of  risk  assessments  for  dropped  objects  was  discussed.  A 
code  of  practice  for  such  assessmnent  appears  to  be  of  interest  particularly  for 
North  Sea  operators.  Research  appears  to  be  needed  on  models  for  trajectories  and 
velocities  of  falling  objects  in  water.  For  pipelines  it  was  noted  that  although 
existing  standards  have  served  the  industry  well,  they  have  a  number  of 
deficiencies,  such  as:  (a)  not  dealing  with  certain  failure  modes,  including 
those  due  to  corrosion  or  other  damage,  or  upheaval  buckling  in  the  North  Sea  and 
Arctic;  (b)  reliance  on  subjective  stress  safety  indices,  rather  than  on 
quantification  of  component  or  system  reliability;  (c)  lack  of  guidance  on 
inspection  data  accuracy  and  on  how  inspection  data  should  be  effectively  used 
in  risk/reliability  assessments  for  maintenance  and  rehabilitation  decisions. 
These  deficiencies  may  be  due  to  the  assumption  —  which  may  or  may  not  be 
warranted  —  that  the  reliability  of  pipelines  is  so  high  compared  to  that  of 
subsea  system  components  that  it  may  be  neglected  as  a  factor  in  overall 
reliability  analyses.  There  was  general  interest  in  use  of  risk  and  reliability 
assessment  methods  for  existing  pipelines,  and  some  support  for  the  gradual 
development  of  a  code  of  practice.  For  both  subsea  systems  and  pipelines,  the  use 
of  hazard  analysis  techniques  is  needed  in  the  context  of  a  total  effort  also 
involving  topside  facilities.  Documented  guidance  in  the  form  of  a  code  of 
practice  on  the  use  of  these  techniques  will  be  a  useful  and  important  step. 

Opportunities  for  Implementation  and  Application.  (1)  Reliability,  availability 
and  hazard  assessment  tools  should  be  developed  in  view  of  their  importance  for 
effective  subsea  technology  implementation  and  application.  (2)  While  those  tools 
exist,  there  is  a  need  for  standards,  guidelines,  and  recommended  practices.  (3) 
The  development  of  a  comprehensive  reliability-based  code  of  practice  is 
desirable  but  not  practical  except  as  a  gradual,  long-term  proposition.  (4)  In 
the  short  term  recommended  practices,  reliability  and  event  data  requirements, 
and  recommended  data  sources  should  be  developed  for  subsea  systems  HAZOPs, 
FMECAs  ,  Fault  Trees,  and  Availability  Analyses.  (5)  API  and  MMS  would  be  the  most 
appropriate  bodies  for  generating  recommended  practices  and  codes.  (6)  Current 
lack  of  a  generally  available  database  for  subsea  operations  is  an  obstacle  to 
the  application  of  quantitative  reliability  assessments  techniques.  (7)  Given  the 
sparsity  of  subsea  reliability  data  and  event  data,  it  is  recommended  that  an 
international  joint  industry-government  program  on  collection  of  such  data  be 
initiated  for  subsea  componments ,  pipelines  and  systems. 
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Working  Group  #6.  DRILLING  OPERATIONS 


State  of  Practice.  Reliability  analysis  methods  are  not  routinely  used  in 
drilling  operations.  To  help  understand  their  potential  application  the  Working 
Group  report  briefly  reviews  the  basic  concepts  used  in  this  type  of  analysis, 
the  way  in  which  drilling  operations  are  managed,  and  the  primary  hazards 
affecting  them.  It  is  noted  that  the  overall  drilling  process  does  not  lend 
itself  to  classical  reliability  analysis.  Nevertheless,  a  number  of  offshore 
drilling  sub— systems  and  processes  are  cited  that  have  been  studied  using 
reliability  analysis  procedures. 

Problem  Areas.  These  include  the  absence  of  accurate  data  on  failure  modes  and 
failure  rates.  The  accurate  modeling  of  human  error  becomes  increasingly 
difficult  as  the  complexity  of  the  system  increases  and  the  amount  of  interaction 
required  for  system  operation  is  larger.  Various  agencies  have  overlapping 
requirements.   Internationally  recognized  standards  are  needed. 

Research  Needs.  High  priority  should  be  given  to:  (1)  rig  automation,  (2)  escape 
and  evacuation  in  harsh  environments,  (3)  handling  shallow  gas  flows,  (4)  optimum 
frequency  of  testing  subsea  blowout  preventer  equipment,  and  (5)  safety  margins 
in  casing  programs. 
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PURPOSE  OF  THE  WORKSHOP 


The  purpose  of  the  Workshop  was  to  discuss  current  practice,  progress,  and  future 
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WELCOMING  REMARKS 


Dr.  Richard  N.  Wright 
Director,   Building  and  Fire  Research  Laboratory 
National  Institute  of  Standards  and  Technology 

Representatives  of  the  petroleum  industry,  consulting  firms,  government  agencies, 
and  academic  and  research  institutions,  from  the  United  States,  Canada,  the 
United  Kingdom,  France  and  Norway  are  gathered  here  today  in  an  effort  to  advance 
the  state  of  the  art  in  the  fields  of  risk  management  and  safety/reliability 
analysis  of  offshore  oil  and  gas  operations. 

NIST  is  proud  of  its  long  history  of  contributions  to  the  solution  of  technical 
problems  related  to  offshore  operations.  For  more  than  three  decades  designers 
of  offshore  platforms  around  the  world  have  used  wave  loading  criteria  based  on 
the  dimensionless  number  named  after  Keulegan  and  Carpenter,  two  fluid 
dynamicists  who  performed  their  classic  work  at  the  National  Bureau  of  Standards. 

More  recently,  the  Minerals  Management  Service,  the  principal  co-sponsor  of  this 
Workshop,  has  supported  NIST  work  on  structural,  fire,  and  materials  problems 
involved  in  offshore  operations.  This  work  has  included  research  on  the  dynamics 
and  reliability  of  deep-water  compliant  platforms;  arctic  concrete  structures; 
weldments  of  arctic  structures;  concrete  punching  shear;  composite  materials  for 
deep-water  structures;  f itness-f or-service  fatigue  criteria;  containment  of  blow- 
out fires;  promotion  of  burning  of  oil  on  water,  and  the  study  of  the  pollutants 
produced  by  such  burning.  Some  of  this  work  has  subsequently  developed  into 
large  joint  industry  projects,   as  in  the  case  of  the  punching  shear  project. 

Given  this  history,  NIST  is  pleased  to  serve  as  a  host  and  co-sponsor  of  this 
Workshop . 

Our  countries  have  a  great  stake  in  the  development  of  procedures  ensuring  that 
offshore  oil  and  gas  operations  are  safe  and  pollution— free .  It  is  the  goal  of 
this  Workshop,  of  its  distinguished  speakers,  of  its  Working  Group  Chairmen,  and 
of  its  participants,   to  contribute  to  this  development. 

I  wish  you  every  success  in  your  work  toward  this  goal. 
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Thomas  Gernhofer 
Associate  Director,  Minerals  Management  Service 
U.  S.  Department  of  the  Interior 

On  behalf  of  Mr.  Barry  Williamson,  the  Director  of  the  Minerals  Management 
Service  (MMS) ,  welcome  to  the  Workshop  on  the  Reliability  of  Offshore  Operations. 

The  new  MMS  5— year  lease  plan  emphasizes  the  development  of  natural  gas.  There 
are  eight  sales  scheduled  in  the  Alaska  Region,  two  in  the  Atlantic  Region, 
twelve  in  the  Gulf  of  Mexico  Region,   and  one  in  the  Pacific  Region. 

As  a  result,  operations  on  the  Outer  Continental  Shelf  will  be  moving  into  two 
new  frontiers,  deep  water  and  arctic  ice.  The  MMS  is  leasing  tracts  in  water 
depths  up  to  3,000  m.  Such  water  depths  pose  a  technological  challenge  for 
exploration  and  development.  The  sale  areas  in  Alaska  include  remote  areas  of 
the  Beaufort  and  Chukchi  Seas  where  ice  conditions  will  make  operations  more 
difficult . 

The  offshore  industry  has  a  good  safety  record  and  the  MMS  will  strive  to  ensure 
its  preservation  by  expanding  MMS  requirements  for  safety,  training,  and 
environmental  protection.  The  MMS  is  also  considering  a  new  inspection  strategy 
for  the  Gulf  of  Mexico  that  includes  increased  numbers  of  unannounced  oil  spill 
drills  and  the  reinstatement  of  civil  penalties. 

The  MMS  will  also  increase  funding  for  oil  spill  containment  and  cleanup  research 
and  will  reopen  the  Oil  and  Hazardous  Material  Simulated  Environmental  Test  Tank 
(OHMSETT) . 

The  MMS  is  actively  pursuing  establishing  ties  with  foreign  regulatory  agencies 
and  has  cooperative  agreements  with  the  United  Kingdom,  Canada,  and  Australia  for 
research  purposes. 

Finally,  the  MMS  will  continue  to  sponsor  international  workshops  like  this  one. 
These  have  proven  to  be  valuable  to  industry  and  government  alike.  Future 
workshops  are  planned  for  offshore  pipeline  safety,  and  seismic  effects  on 
platforms . 

Thank  you  and  have  a  successful  workshop. 
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SAFETY  AND  ENVIRONMENTAL  PROTECTION 
FOR  OFFSHORE  OIL  AND  GAS  OPERATIONS 
IN  CANADA 


G.R.  Yungblut 
Director  General,  Engineering  Branch 
Canada  Oil  and  Gas  Lands  Administration 


ABSTRACT 

This  paper  presents  an  overview  of  the  Canada  Oil  and  Gas  Lands  Administration 
(COGLA) ,  its  mandate  and  responsibilities,  the  legislative  authority  under  which 
it  has  operated,  and  a  fairly  detailed  explanation  of  the  regulatory  process, 
procedures  and  requirements  it  has  formulated  and  implemented  to  provide  for 
safety  and  environmental  protection  for  offshore  oil  and  gas  operations  in 
Canada. 


1.     Background  and  Responsibilities 

For  the  past  10  years  the  Canada  Oil  and  Gas  Lands  Administration  has  been  the 
Federal  Government's  principal  contact  with  the  petroleum  industry  in  matters 
relating  to  the  management  and  regulation  of  oil  and  gas  activities  on  what  is 
technically  known  as  Frontier  Lands.  COGLA  was  established  in  1981  by  a 
Memorandum  of  Understanding  between  the  Minister  of  Energy,  Mines  and  Resources 
and  the  Minister  of  Indian  and  Northern  Affairs.  It  replaced  the  Resource 
Management  Branch  of  EMR  and  the  Northern  Non-Renewable  Resources  Branch  of  DIAND 
who,  at  that  time,  were  responsible  for  oil  and  gas  matters  on  Canada  Lands  —  the 
Resource  Management  Branch  for  those  areas  lying  South  of  60°  and  the  Northern 
Non-Renewable  Resources  Branch  for  areas  North  of  60°.  At  that  time.  Frontier 
Lands  included  all  offshore  areas  on  both  the  East  and  the  West  Coasts,  the 
Arctic  Offshore,  the  Hudson  Bay,  the  Arctic  Islands,  the  Yukon  Territory  and  the 
Northwest  Territories. 

Since  then,  agreements  have  been  reached  with  the  Newfoundland  and  the  Nova 
Scotia  Provincial  Governments  whereby  the  management  and  regulatory 
responsibilities  on  the  East  Coast  have  been  assigned  to  offshore  petroleum 
boards.  At  present,  COGLA  is  responsible  for  the  Arctic  Offshore,  the  Hudson 
Bay,  the  West  Coast,  the  Arctic  Islands,  the  Yukon  Territory  and  the  Northwest 
Territories.  However,  agreements-in-principle  are  in  the  process  of  being 
negotiated  which  will  eventually  turn  over  the  responsibilities  for  oil  and  gas 
activities  in  these  regions  to  organizations  that  are  structured  similar  to  those 
that  now  exist  in  Nova  Scotia  and  Newfoundland. 

The  prime  responsibilities  of  COGLA  are  twofold.  The  first  is  to  manage  the  oil 
and  natural  gas  resources  that  lie  within  Frontier  Lands.  The  second  is  to 
regulate  the  exploration  for  and  the  development  and  production  of  these 
hydrocarbon  resources.  To  facilitate  the  carrying  out  of  its  mandate,  COGLA  is 
organized  with  five  branches.  These  are:  the  Rights  Management  Branch,  the 
Resource  Evaluation  Branch,  the  Policy  Analysis  and  Coordination  Branch,  the 
Environmental  Protection  Branch  and  the  Engineering  Branch.     Today,   I  will  be 
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discussing  mainly  the  work  of  the  Engineering  Branch  and  indirectly  the  support 
provided  by  the  Resource  Evaluation  Branch  and  the  Environmental  Protection 
Branch . 

The  responsibility  to  manage  the  oil  and  gas  resources  involves  acting  as  the 
property  manager,  on  behalf  of  the  Canadian  public,  of  those  resources  on  lands 
that  are  the  direct  responsibility  of  the  Federal  government.  The  authority  to 
manage  federally  controlled  lands  is  provided  through  the  Canada  Petroleum 
Resources  Act.  In  performing  this  function,  COGLA  evaluates  the  potential  of 
each  geological  basin  and  arranges  for  land  sales  whereby  companies  can  acquire 
the  right  to  explore  for  oil  and  gas.  Tied  to  this  exploration  activity  is  the 
right  of  the  company  to  produce  whatever  hydrocarbon  resources  are  discovered. 

Also  instrumental  to  the  management  role  of  COGLA  is  its  responsibility  to  ensure 
that  resources  are  explored  for,  that  they  are  developed  in  an  appropriate  time 
frame,  and  that  the  terms  and  conditions  of  any  development  and  production 
activity  are  such  that  the  government  and  the  public  will  receive  the  best 
overall  return  from  the  resource.  The  return  from  the  resource  is  not  simply 
royalties  but  includes  employment,  creation  of  new  skills,  development  of 
infrastructure  in  remote  areas,  meeting  the  security  of  Canada's  supply  needs, 
and  many  other  associated  benefits. 

The  responsibility  to  regulate  oil  and  gas  activities,  which  is  provided  through 
the  Oil  and  Gas  Production  and  Conservation  Act,  involves  ensuring  that  the 
program  of  work  is  carried  out  in  such  a  manner  that  the  workers'  safety  is 
adequately  protected,  that  the  risk  of  pollution  to  the  environment  is  minimized, 
that  the  hydrocarbon  resources  are  not  wasted  through  poor  production  practices, 
and  that  the  exploration,  production  and  transportation  facilities  that  are  to 
be  used  in  connection  with  the  program  of  work  satisfactorily  provide  for  the 
above.  These  concerns  are  regulated  through  a  system  of  approvals  based  on  a 
comprehensive  assessment  of  a  proposed  project  against  the  requirements  and 
standards  set  out  in  regulations  and  guidelines.  In  addition,  during  the  life 
of  an  exploration  or  production  project,  all  facilities  and  operations  are 
carefully  monitored  and  regularly  inspected  to  ensure  that  the  facilities  are 
being  adequately  maintained,  that  proper  operating  and  safety  procedures  are 
being  followed  and  that  good  resource  management  practices  are  being  implemented. 

COGLA  presently  administers  three  significant  pieces  of  legislation.    They  are: 

-  The  Canada  Petroleum  Resources  Act; 

-  The  Oil  and  Gas  Production  and  Conservation  Act;  and 

-  Part  II  of  the  Canada  Labour  Code. 

The  first  piece  of  legislation,  the  Canada  Petroleum  Resources  Act  (CPRA) , 
provides  for  the  granting  to  individuals  or  companies  the  right  to  search  for, 
to  develop  and  to  produce  petroleum  resources.     Its  main  features  consist  of: 

-  the  process  for  granting  rights  and  interests; 

-  establishing  "exploration  licenses"; 
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establishing  "significant  discovery  licenses"; 


—  requiring  at  least  50%  Canadian  ownership  In  the  development  of  a  field; 

—  authority  to  set  and  collect  royalties; 

—  establishing  the  "environmental  studies  research  fund"; 

—  establishing  processes  for  transfers,  assignments  and  registration  of 
Interests;  and 

—  generally  provides  for  enforcement. 

The  second  piece  of  legislation  is  the  Oil  and  Gas  Production  and  Conservation 
Act  (OGPCA) .     The  purpose  of  the  Act  is: 

—  to  ensure  the  safety  of  workers ; 

—  to  prevent  pollution; 

—  to  prevent  the  waste  of  resources; 

—  to  ensure  proper  facilities  are  used;  and 

—  to  encourage  the  use  of  Canadians. 

This  Act  has  Incorporated  several  important  features  pertinent  to  the  regulation 
of  oil  and  gas  activities.  It: 

—  provides  authority  to  make  regulations; 

—  provides  authority  to  regulate; 

—  establishes  the  requirement  for  an  approved  development  plan; 

—  creates  a  "Chief  Conservation  Officer"  to  make  decisions  respecting 
safety,  resource  conservation,  and  pollution  prevention  -  with  the  power 
to  order  activities  to  cease; 

—  creates  "Conservation  Engineers"  to  enforce  the  Act  and  its  regulations  - 
with  the  power  to  order  activities  to  cease  if  a  safety  regulation  is 
being  violated; 

—  provides  for  forced  unitization; 


creates  "absolute  liability"  in  regard  to  spills  and  debris; 

provides  for  prosecution  where  an  operator  contravenes  the  regulations  or 
certain  other  parts  of  the  Act,  and  stipulates  the  maximum  penalties;  and 

establishes  the  "Oil  and  Gas  Committee"  to  hear  appeals,  to  hold  inquiries 
and  to  make  orders  in  respect  of  resource  conservation  matters  such  as 
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water  flood  schemes,  pressure  maintenance,  etc. 

Amendments  to  this  Act  are  presently  in  the  process  of  being  prepared.  These 
amendments  are  primarily  in  response  to  the  recommendations  of  the  Royal 
Commission  on  the  Ocean  Ranger  Disaster  (Hickman  Commission)  and  other  work  that 
was  done  around  that  disaster.  The  main  purpose  of  the  amendments  is  to  further 
enhance  the  safety  provisions  of  the  Act.     These  will  consist  of: 

—  establishing  the  requirement  that  owners  and  operators  provide  a 
declaration  that  equipment  and  facilities  are  fit  for  the  purpose  for 
which  they  are  to  be  used; 

—  establishing  the  requirement  that  operators  obtain  a  "Certificate  of 
Fitness"  for  certain  facilities  and  installations  from  an  approved 
"Certifying  Authority"; 

—  creating  a  "Chief  Safety  Officer"  and  "Safety  Officers"  who  will  have  the 
power  to  order  activities  to  cease  if  there  is  risk  to  the  worker; 

—  creating  a  requirement  for  each  offshore  installation  to  have  an 
"Installation  Manager"  who  will  have  specific  powers,  similar  to  those  of 
a  ship's  captain,  and  who  will  be  required  to  have  specific 
qualifications; 

—  creating  an  "Oil  and  Gas  Administration  Advisory  Council"  which  will  be 
tasked  with  ensuring  consistency  in  the  application  of  regulations  amongst 
the  various  regulatory  agencies; 

—  creating  an  "Offshore  Oil  and  Gas  Training  Standards  Advisory  Board"  which 
will  be  tasked  with  advising  on  the  training  requirements  of  offshore 
workers  and  on  the  adequacy  of  various  training  courses;  and 

—  establishing  the  requirement  for  an  independent  investigation  of  all 
serious  accidents  or  oil  spills. 

The  third  piece  of  legislation  is  the  application  of  the  "Canada  Labour  Code". 
COGLA  was  given  the  responsibility  for  enforcing  it,  through  a  Memorandum  of 
Understanding  with  Labour  Canada,   in  1987. 

The  Labour  Code's  principle  objective  is  to  ensure  a  safe  work  place.  Its  main 
features  consist  of: 

—  the  authority  to  make  and  enforce  regulations; 

—  establishing  an  employee's  right  to  know  if  a  danger  exists; 

—  establishing  an  employee's  right  to  participate  in  matters  involving 
safe ty ; 

—  establishing  an  employee's  right  to  refuse  dangerous  work; 

—  establishing  the  specific  duties  of  the  employee  and  employer  with  respect 
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1  to  safety  matters;  and 

I  -  creates  "Safety  Officers"  and  "Regional  Safety  Officers". 

i 

COGLA  enforces  two  sets  of  regulations  under  Part  II  of  the  Canada  Labour  Code. 
The  first  is  the  Oil  and  Gas  Occupational  Safety  and  Health  Regulations (OSH) . 
It  deals  primarily  with: 

—  specifying  the  equipment  and  material  that  can  or  should  be  used; 

i 

—  requiring  and  specifying  how  workers  are  to  be  given  information  on 
hazardous  material  to  meet  the  Workplace,  Hazardous  Materials,  Information 
System  (WHMIS)  requirements; 

I 

—  ensuring  accidents  and  dangerous  situations  are  reported  and  investigated; 

—  requiring  that  safety  procedures  are  in  place;  and 

—  requiring  that  workers  be  properly  trained  and  informed  about  potential 
dangers . 

The  second  set  of  regulations  enforced  by  COGLA  under  Part  II  of  the  Canada 
Labour  Code  is  the  Safety  and  Health  Committee  and  Representatives  Regulations. 
These  regulations  establish  the  make-up  of  the  "Safety  and  Health  Committee"  and 
how  the  Committee  is  to  carrry  out  its  duties  and  responsibilities. 

Several  sets  of  regulations  pertaining  to  safety,  resource  conservation  and 
environmental  protection  have  been  drafted  by  COGLA  pursuant  to  the  Oil  and  Gas 
Production  and  Conservation  Act.  At  present,  five  sets  of  regulations  have  been 
promulgated  under  this  Act  and  five  sets  are  in  various  stages  of  preparation. 
Special  features  of  a  few  of  the  regulations  presently  administered  by  the 
Engineering  Branch  of  COGLA  will  now  be  discussed. 

The  first  set  of  regulations,  the  Drilling  Regulations  were  promulgated  in  1979 
with  minor  amendments  in  1988  and  1990.  The  Drilling  Regulations  feature  two 
approvals : 

I  -  the  Drilling  Program  Approval  (DPA) ;  and 

'  -  the  Authority  to  Drill  a  Well  (ADW) . 

These  regulations  contain: 

I  —  a  requirement  that  the  drilling  unit,  drilling  systems  and  other  related 

equipment  meet  specified  standards; 

—  a  requirement  that  the  well  design  meets  certain  standards; 

—  a  requirement  to  test  and  inspect  equipment  periodically; 

—  a  requirement  to  have  contingency  plans ; 
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—  a  requirements  to  dispose  of  waste  materials  in  an  approved  way; 

—  a  requirement  to  report  daily  to  the  Chief  Conservation  Officer; 

—  a  requirement  to  test  and  evaluate  the  well; 

—  a  requirement  to  take  and  keep  samples; 

—  a  requirement  to  have  trained  personnel  and  regular  drills ;  and 

—  a  requirement  to  keep  and  submit  records. 

The  process  for  approving  the  drilling  of  a  well  involves  two  steps.  First,  the 
operator  must  apply  for  an  approval  for  its  drilling  program,  i.e.  a  Drilling 
Program  Approval.  The  application  for  Drilling  Program  Approval  is  required  to 
be  submitted  four  months  prior  to  the  spud  of  the  first  well  in  the  program  and, 
where  applicable,  must  provide  details  on  the  following: 

—  general  information  on  the  project  including  the  geography,  holders  of 
interest  in  the  exploration  agreement,  the  number  of  wells  to  be  drilled, 
and  the  duration  of  the  drilling  program; 

—  details  on  the  construction  of  the  drilling  base  (i.e.  ice,  berm  or 
artificial  island),  if  applicable,  including  the  design,  the  construction 
plan,  the  source  of  material,  the  monitoring  and  instrumentation,  etc.; 

—  results  of  pre-drilling  site-specific  seabed  investigations; 

—  complete  details  on  the  drilling  unit  including: 

—  plans,  diagrams  and  specifications; 

—  drilling  and  marine  equipment,  maintenance  and  operations  manuals; 
and 

—  personnel  safety  equipment  and  safety  systems; 

—  details  on  the  support  crafts  and  systems  including: 

—  the  standby  and  supply  boats; 

—  the  supply  base ; 

—  the  aircraft  support;  and 

—  the  communications  systems; 

—  details  on  the  geology  of  the  area  and  on  the  procedures  to  deal  with 
potential  problems  or  hazards  such  as: 

—  overpressured  formations,  gas  hydrates,  slumping  formations;  and 

—  casing,    cementation   and    logging   programs    that    will    be    used  to 
control  the  problems; 

—  description  of  the  physical  environment  including: 

—  meteorological,  oceanographic ,   ice  and  climatic  data;  and 
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—  the  weather  and  ice  forecasting  arrangements; 

-  a  discussion  of  environmental  concerns  including: 

—  impact  of  the  operation  on  the  environment; 

—  the  drilling  unit  response  to  extreme  environmental  or  accidental 
events ; 

—  mud  disposal,  particularly  any  mud  containing  oil;  and 

—  sewage  and  waste  treatment; 

-  and  finally,   complete  contingency  plans  for  all  potential  accidents  or 
threats  including: 

—  serious  injury  or  death; 

—  a  major  fire  ; 

—  loss  or  damage  to  a  drilling  unit  or  support  craft; 

—  oil  spills ;  .     <  . 

—  collisions; 

—  loss  of  well  control  (blowouts); 

—  drilling  of  relief  wells;  and 

—  rescue  at  sea. 

COGLA  carefully  reviews  and  evaluates  the  information  submitted  in  support  of  the 
application  in  consultation  with  experts  in  other  departments  and  agencies.  When 
COGLA  is  satisfied  that  the  drilling  program  provides  the  framework  for  a  safe, 
environmentally  sound  drilling  project  the  Chief  Conservation  Officer  approves 
the  program. 

The  operator  requires  a  second  approval,  an  "Authority  to  Drill  a  Well",  before 
drilling  can  actually  commence.  The  application  for  an  Authority  to  Drill  a  Well 
is  required  to  be  submitted  at  least  21  days  prior  to  spud  for  each  well  in  a 
drilling  program  and  should  include: 

-  general      information     including     a     wellsite     project     summary,  the 
participants,  and  a  survey  plan; 

-  proof  of  adequate  financial  resources  and  insurance;  and 

-  the  specific  well  prognosis  including: 

—  the  anticipated  geological  stratigraphy; 

—  drilling  plan  -   including   casing   setting   depths    and   sizes,  mud 
program,  logging  program,  deviation  control,  etc.; 

—  specific  relief  well  arrangements; 

—  specific  environmental  concerns  at  the  location;  and 

—  any  modifications  to  contingency  plans  for  the  specific  location. 

As  with  the  Drilling  Program  application  -  this  information  is  carefully  reviewed 
and  evaluated  by  COGLA  in  consultation  with  other  departments  and  agencies  with 
particular  attention  to  the  well  design  and  to  the  procedures  that  will  be  used 
to  combat  potential  hazards.  When  COGLA  is  satisfied  that  the  plan  for  the 
drilling    of    that    well    provides    for    a    safe,    pollution-free    operation,  a 
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Conservation  Engineer  will  approve  the  drilling  of  that  particular  well.  The 
actual  drilling  operations  are  inspected  regularly  to  ensure  that  the  regulations 
are  being  complied  with  and  that  the  approved  program  and  specific  wellsite  plans 
are  being  followed. 

Another  very  significant  set  of  regulations,  the  Production  and  Conservation 
Regulations  were  promulgated  in  1990.  These  regulations  also  feature  two 
approvals,  namely: 

—  a  Development  Plan  Approval;  and 

—  a  Production  Operations  Authorization. 

These  Regulations  stipulate  that  no  approval  for  work  that  involves  the 
development  of  a  field  is  valid  unless  there  is  an  approved  development  plan  for 
that  field.  The  approval  process  for  the  development  of  a  large  field,  such  as 
the  Hibernia  field,  is  extensive.  As  a  first  step,  the  operator  must  prepare  a 
comprehensive  development  plan.  The  application  for  Development  Plan  Approval 
must  describe  in  detail  how  it  is  intended  to  develop  the  field  and  must  include: 

—  information  on  the  scope,  the  purpose,  the  location,  the  timing  and  the 
nature  of  the  proposed  development,  and  the  physical  environmental 
conditions  at  the  location; 

—  information  on  the  production  rate,  on  how  the  field  was  evaluated,  on  the 
estimated  amounts  of  oil  and  gas  expected  to  be  recovered,  the  reserves, 
the  recovery  methods  including  secondary  recovery,  and  the  production 
monitoring  procedures; 

—  information  on  the  estimated  cost  of  the  development; 

—  information  not  only  on  the  preferred  production  system  but  on  any 
alternative  production  systems  that  could  be  used;  and 

—  reports  of  all  environmental,  engineering  feasibility  and  other  studies 
necessary  for  a  comprehensive  review  and  evaluation  of  the  proposed 
development . 

On  the  environmental  side,  the  development  plan  must  include  an  "Environmental 
Impact  Statement"  that  describes  both  the  physical  and  biological  environment, 
and  the  environmental  impacts  that  are  likely  to  arise  from  the  project.  This 
statement  must  include  the  mitigative  measures  that  the  operator  will  be  prepared 
to  take . 

In  addition  to  the  environmental  impact  statement,  the  operator  must  provide,  as 
part  of  the  development  plan,  a  "Benefits  Plan"  which  sets  out  how  the  operator 
intends  to  ensure  that  Canadians  and  Canadian  manufacturers  will  be  given  a  full 
and  fair  opportunity  to  participate  in  the  project. 

When  the  development  plan  is  submitted  to  COGLA,  it  is  thoroughly  studied  and 
evaluated  and  where  there  are  deficiencies,  the  operator  is  asked  for  more  data 
and  may  be   asked   to  undertake   further  work  or   studies.      This  comprehensive 
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assessment  is  undertaken  in  consultation  with  experts  in  other  departments  and 
agencies  and,  if  necessary,  COGLA  will  engage  outside  consultants  to  assist  in 
the  evaluation  process . 

When  COGLA  is  satisfied  that  the  development  plan  provides  a  framework  within 
which  an  efficient,  reliable,  safe,  pollution-free  project  can  be  carried  out  - 
the  plan  is  approved.  The  operator  can  then  commence  with  the  detailed 
engineering  design  and  construction  activities.  However,  the  operator  must  still 
comply  with  the  relevant  regulations  under  the  Oil  and  Gas  Production  and 
Conservation  Act  as  it  carries  out  the  project. 

Coinciding  with  the  development  plan  assessment  there  will  likely  be  an 
environmental  assessment  and  review,  following  the  "EARP"  process.  This  process 
independently  assesses  the  environmental  and  socio-economic  aspects  and  impacts 
of  the  project.  In  most  cases,  it  will  include  a  public  review  and  public 
hearings.  As  recent  court  cases  have  demonstrated,  EARP  has  become  an  essential 
part  of  the  process  for  approving  any  project  in  which  the  federal  government  is 
involved,   either  as  a  regulator  or  as  an  interest  holder. 

The  second  approval  connected  with  the  Production  and  Conservation  Regulations 
is  the  Production  Operations  Authorization.  It  is  granted  after  the  production 
installation  has  been  constructed,  put  in  place  and  is  complete  and  ready  to 
operate  in  the  production  mode.  As  a  condition  to  that  approval,  the  operator 
must  comply  with  all  other  relevant  provisions  of  the  Production  and  Conservation 
Regulations  and,  if  the  installation  is  an  offshore  installation,  must  obtain  a 
Certificate  of  Fitness  for  that  installation. 

Another  important  set  of  safety  related  regulations  are  the  proposed 
Installations  Regulations.  Although  these  draft  regulations  contain  no  specific 
approvals,  they  do  however  contain  numerous  safety  requirements  pertaining  to  the 
structure  and  its  faciliites.     These  regulations: 

-  specify  the  analyses  that  must  be  done  -  i.e.  structural  analyses,  fatigue 
analysis,  safety  analysis,  etc.; 

-  specify    the    loads    that    must   be    considered    and   how    they    are    to  be 
determined; 

-  specify  the  materials  acceptable  for  use; 

-  specify  acceptable  standards  for  design,  construction  and  installation; 

-  specify  requirements  for  the  protection  of  the  installation,  i.e. ,  against 
corrosion,   collision  and  fire; 

-  specify  the  requirements  for  personnel  protection,  i.e.,  personnel  safety 
devices,   lifesaving  equipment,   firefighting  systems; 

-  specify  requirements  for  site-specific  investigations; 

-  specify  requirements  for  operations  and  maintenance  manuals; 
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-  specify  requirements  for  monitoring  and  inspection  during  operations;  and 

-  form  the  primary  basis  on  which  a  Certificate  of  Fitness  can  be  granted. 

The  last  set  of  regulations  I  would  like  to  draw  to  your  attention  are  the 
proposed  Certificate  of  Fitness  Regulations.  These  regulations  establish  the 
criteria  for  a  valid  Certificate  of  Fitness  and  identifies  who  is  authorized  to 
issue  a  Certificate  of  Fitness.  The  four  organizations  that  have  been  approved, 
to  date ,  are : 

-  American  Bureau  of  Shipping; 

-  Lloyd's  Registry;  ' 

-  Det  norske  Veritas;  and 


-         Bureau  Veritas. 
These  regulations  also: 


specify  the  criteria  that  must  be  met  in  order  that  a  valid  Certificate  of 
Fitness  can  be  issued; 


-  specify  that  the  Certifying  Authority  must  carry  out  an  approved  scope  of 
work; 

-  specify  the  circumstances  under  which  the  Certificate  of  Fitness  becomes 
invalid  and  the  consequences;  and 

-  specify  how  a  change  of  a  Certifying  Authority  may  take  place. 

To  assist  an  operator  in  the  use  of  certain  Regulations  made  under  the  Oil  and 
Gas  Production  and  Conservation  Act.  COGLA  has  developed  and  issued  several 
guidelines  which  provide  pertinent  information  on  the  interpretation  and 
procedures  to  be  followed  in  complying  with  the  requirements  of  the  Regulations. 
These  guidelines  include: 

-  Geophysical  and  Geological  Programs  on  Frontier  Lands,    Guidelines  for 
Approval  and  Reports ; 

-  Guidance  Notes  for  the  Canada  Oil  and  Gas  Drilling  Regulations; 

-  Development  Plan  Application  Guidelines; 

-  Offshore  Waste  Treatment  Guidelines; 

-  Guidelines  for  the  Use  of  Oil  Based  Drilling  Muds;  and 

-  Physical  Environmental  Guidelines  for  Drilling  Programs  in  the  Canadian 
Offshore . 
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2 .  Sxjmmary 


In  sunraiary  then,  the  regulations  which  have  been  developed  and  implemented  by  the 
Engineering  Branch  of  COGLA  have  defined  requirements,  standards  and  criteria 
essential  to  the  enhancement  of  safety  and  environmental  protection  for  offshore 
oil  and  gas  operations.  These  are  applied  through  a  process  whereby  each 
activity  or  project  is  thoroughly  assessed  to  determine  if  the  regulations  and 
standards  can  be  met  through  the  life  of  the  project  followed  by  regular 
inspections  to  ensure  that  they  continue  to  be  met.  In  this  regard,  if  methods 
and  procedures  to  quantitatively  assess  the  reliabilities  and  risks  associated 
with  each  activity  or  project  were  available,  this  assessment  would  be  even  more 
definitive  which  would  further  enhance  safety  and  environmental  protection. 
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U.K.  ENFORCEMENT  OF  RISK  AND  RELIABILITY  MANAGEMENT  OF  OFFSHORE  OIL  AND  GAS 

OPERATIONS 


J.  R.  Petrie 

Deputy  Head  of  Offshore  Safety  Division,  Health  and  Safety  Executive,  U.K. 

ABSTRACT 

This  paper  briefly  describes  the  Offshore  Safety  Division,  Health  and  Safety 
Executive;  discusses  the  Piper  Alpha  disaster;  discusses  principles  of  managing 
risk  and  reliability  and  safety;  and  concludes  with  considerations  on  how  these 
principles  might  be  applied  offshore. 

1.  The  Offshore  Safety  Division,  Health  and  Safety  Executive 

The  U.K.  government  agency  charged  with  administering  occupational  health,  safety 
and  welfare  law  offshore  is  the  Offshore  Safety  Division  (OSD)  of  the  Department 
of  Energy.  However  we  are  in  the  process  of  transferring  this  Division  to  the 
Health  and  Safety  Executive  (HSE) .  This  Division  is  responsible,  amongst  other 
things,  for  the  making  of  regulations  and  guidance  notes  and  monitoring  and 
enforcing  compliance  with  satisfactory  health  and  safety  standards. 

2 .  The  Piper  Alpha  Disaster 

The  year  1988  saw  the  Piper  Alpha  disaster  in  which  167  people  lost  their  lives 
and  a  major  oil  production  platform  was  destroyed  as  a  result  of  a  succession  of 
fires  and  explosions  fed  from  a  very  large  fuel  supply  from  a  number  of  gas  and 
oil  pipelines.  Piper  Alpha  was  located  in  the  North  Sea  approximately  125  miles 
northeast  of  Aberdeen  on  the  Scottish  mainland. 

The  most  likely  primary  cause  of  the  disaster  was  not  related  to  hardware 
failures  but  was  a  consequence  of  human  error.  Both  the  Public  Inquiry  and  my 
technical  investigation  concluded  that  the  immediate  cause  was  that  condensate 
had  been  inadvertently  admitted  to  an  unsealed  pipe  end.  The  pipe  end  had  been 
left  in  a  non-gas  tight  condition  as  a  result  of  incomplete  maintenance  work. 

Persons  on  the  subsequent  shift,  apparently  unaware  of  the  open  state  of  this 
particular  condensate  line,  opened  valves  so  allowing  considerable  quantities  of 
flammable  gas  to  escape.  The  valves  did  not  have  any  physical  impediments  in  the 
way  of  secure  mechanical  isolation  to  prevent  them  from  being  activated. 

Inevitably  the  condensate  vaporized  and  was  ignited.  The  source  of  ignition  was 
never  positively  identified.  Our  main  findings  were  that  the  ensuing  explosions 
and  fires  rapidly  escalated  and  pipelines  were  ruptured  to  such  an  extent  that 
the  escape  routes  for  the  installation  personnel  were  cut  off.  The  explosions  and 
fires  reached  such  a  magnitude  that  the  complete  structure  was  destroyed. 

The  narrow  causes  of  the  disaster  were  the  likely  failure  of  maintenance 
personnel  to  effectively  secure  and  prevent  leakage  of  gas  from  a  pipe  end,  and 
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the  failure  of  the  Permit— to-Work  system  and  procedures  to  pass  on  information 
relating  to  the  state  of  the  plant.  The  wider  causes  were  firmly  linked  to  the 
ineffectiveness  of  management  control.  Notwithstanding  the  safety  consciousness 
of  the  operators  in  the  North  Sea,  it  was  clear  that  a  new  more  stringent 
approach  to  the  management  of  health  and  safety  was  required,  wherein  the 
operator  has  to  demonstrate  to  the  regulatory  body  that  their  safety  assessments 
and  management  control  of  the  offshore  installation  and  all  activities  on  it  are 
adequate  in  both  normal  and  emergency  situations.  This  should  provide  for 
continued  and  progressive  improvement  in  offshore  safety. 

For  many  years  in  the  UK  we  have  recognized  the  need  for  health  and  safety  to  be 
managed  and  to  be  subject  to  quality  assurance  procedures  in  the  same  way  and 
with  the  same  vigor  as  commercial  activities.  This  line  of  thinking  underpins 
our  Mineral  Workings  (Offshore  Installations)  Act  1971  and  the  Health  and  Safety 
at  Work  Act  1974  which  both  apply  to  offshore  activities.  The  Mineral  Workings 
Act  places  health  and  safety  duties  on  two  critical  points  in  the  management 
chain  so  recognizing  the  connection  between  management  and  health  and  safety 
standards.  The  Health  and  Safety  at  Work  Act  places  duties  on  employers  to 
safeguard,  as  far  as  is  reasonably  practicable,  the  health,  safety  and  welfare 
of  their  employees.  There  are  requirements  for  the  provision  and  maintenance  of 
safe  plant  and  systems  of  work,  and  the  provision  of  information,  instruction 
training  and  supervision.  Employers  have  to  prepare  a  written  statement  of  their 
policy,  organization  and  arrangements  for  health  and  safety,  which  again  serves 
to  emphasize  that  health  and  safety  has  to  be  managed.  The  crucial  importance 
of  the  role  of  management,  including  that  at  board  room  level,  has  been 
reinforced  by  inquiries  into  a  number  of  recent  disasters  in  the  UK  such  as  the 
capsize  of  The  Herald  of  Free  Enterprise  and  the  London  Kings  Cross  underground 
transport  fire.  Worldwide  there  are  other  prominent  examples  such  as  Three  Mile 
Island,  Alexander  Kielland,  Challenger,  Bantry  Bay,  Bhopal ,  etc.  All  of  these 
demonstrate  the  axiom  that  accidents  are  not  matters  of  chance,  but  are  subject 
to  management  control,  and  if  management  so  determines,  can  be  eliminated. 

3.  Principle  of  Proportionality 

Another  fundamental  precept  of  the  UK  approach  is  that  there  should  be 
proportionality  between  industrial  risks  and  the  measures  taken  for  their 
control.  When  applying  this  principle  offshore,  because  of  the  difficulties  of 
escape  in  the  event  of  a  major  incident,  the  precautions  against  catastrophic 
happenings  must  be  greater  and  wider  than  those  which  would  be  required  for  the 
equivalent  operation  onshore. 

4 .  Piper  Alpha  ReconHnendations 

Returning  to  the  Piper  Alpha  disaster,  the  inquiry  recommended  that  operators 
should  demonstrate  to  themselves  and  to  a  single  regulatory  authority,  the  OSD, 
the  safety  of  their  activities  using  the  combined  mechanism  of  Safety  Management 
Systems,  risk  assessments  and  emergency  rescue  analysis,  which  together  form  the 
Offshore  Safety  Case. 
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—  The  Offshore  Safety  Case  should,   amongst  other  things,   demonstrate  that 
certain  objectives  have  been  met  including: 

(i)  that  the  safety  management  system  of  the  company  and  that  of  the 
installation  are  adequate  to  ensure  the  design  and  operation  of 
the  installation  and  its  equipment  are  safe; 

(ii)  that  the  potential  major  hazards  of  the  installation  and  the  risks 
to  personnel  therein  have  been  identified  and  appropriate  control 
provided;  and 

(iii)  that  adequate  provision  is  made  for  ensuring,  in  the  event  of  a 
major  emergency  affecting  the  installation,  a  temporary  safe 
refuge  for  personnel  on  the  installation  and  their  safe  and  full 
evacuation,  escape  and  rescue. 

—  The  operator  should  be  required  to  satisfy  itself,   by  means  of  regular 
audits,   that  the  Safety  Management  System  is  being  adhered  to. 

5 .        Offshore  Safety  Cases 

Offshore  Safety  Cases  will  be  required  to  demonstrate  that  the  hazards  have  been 
identified  and  assessed,  and  that  exposure  of  personnel  to  the  hazards  has  been 
minimized. 

They  should  be  prepared  primarily  by  the  operator's  own  staff,  although  the  use 
of  consultants,  particularly  in  the  field  of  design  and  constructional  integrity, 
will  be  admissible. 

Our  detailed  thinking  is  still  being  developed,  but  we  will  be  requiring  the 
submission  of  an  Offshore  Safety  Case  for  every  installation  within  UK  designated 
areas.  The  submissions  for  particular  installations  should  extend  to  all  related 
activities  including  diving,  pipelines,  the  provision  and  conduct  of  standby 
vessels,  etc.  They  should  at  least  address  whether  or  not  an  installation  has 
been  designed  so  that  it  is  fit  for  its  purpose  and  can  be  constructed,  operated 
and  eventually  demolished  safely.  Many  issues  need  to  be  considered  under  this 
heading.     Ones  that  have  particular  relevance  include: 

—  The  location  of  accommodation  facilities  in  respect  of  the  main  hazards. 

—  Escape  routes. 

—  The  provision  of  temporary  safety  refuges  and  their  protection. 

—  The  provision  of  Permit-to-Work  systems. 

—  An  assessment  of  the  risks  including  quantified  risk  assessments  for  the 
major  hazards. 
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A  statement  of  the  Corporate  Safety  Policy  and  how  this  links  into  the 
overall  company  strategy. 

The  system  for  implementing  the  Safety  Policy  and  for  managing  health  and 
safety. 

Methods  to  be  adopted  for  controlling  the  risks  including  physical  and 
management  techniques. 

Procedures  for  keeping  the  Offshore  Safety  Case  current. 
Revision  dates. 


6 .  Principles  of  Management 

The  basic  concepts  of  management  are  the  same  no  matter  what  activity  is  being 
undertaken.     The  main  ingredients  of  any  management  scheme  are: 

-  setting  and  agreeing  on  measurable  objectives; 

-  preparing  an  operating  plan  with  identifiable  milestones  on  which  progress 
can  be  measured; 

-  establishing  mechanisms  for  achieving  the  plan  and  meeting  the  objectives; 

-  monitoring  progress  towards  meeting  the  plan; 

-  making  adjustments  to  the  objectives,   the  plan  or  the  mechanisms  in  the 
event  of  progress  veering  from  the  plan; 

-  carrying  out  further  monitoring  and  adjustments. 

7 .  Managing  Health  and  Safety 

The  principles  involved  in  managing  health  and  safety  are  no  different  to  those 
outlined  above.  Objectives  have  to  be  set  and  progress  monitored  to  ensure  that 
these  are  realistic  and  are  being  achieved.  Just  as  for  other  management  areas, 
applying  the  principles  in  the  health  and  safety  field  is  no  easy  matter  and  much 
effort  and  commitment  are  required  at  all  levels  within  an  organization. 

Promoting  acceptable  health  and  safety  standards  depends  upon  having  a  clear 
policy  that  starts  with  a  corporate  acceptance  of  responsibilities  which  aims  to 
cultivate  positive  management  attitudes  towards  improving  standards.  A  good 
starting  premise  is  that  all  accidents  and  incidents  of  industrial  ill  health  are 
avoidable  and  all  are  the  responsibility  of  management.  The  policy  should  then 
go  on  to  specify  objectives  that  align  with  the  overall  company  strategy  and 
define  the  organization  to  meet  these  objectives.  These  should  include  the 
responsibility  for  the  protection  of  people,  plant  and  the  environment.  It  is 
sometimes  suggested  that  these  can  be  pursued  separately,  but  all  form  part  of 
a  coherent  whole.      Specific  postholders   should  be  named  together  with  their 
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health  and  safety  duties.  At  least  some  of  the  objectives  should  be  in  a 
measurable  form,  e.g.,  reductions  in  accident  rates,  lost  time  accidents  and 
dangerous  occurrences,  carrying  out  a  set  number  of  safety  audits  each  year. 
However,  for  major  injury  accidents,  fatal  accidents  and  disasters,  it  must  be 
recognized  that  numbers  are  too  small  to  be  of  statistical  significance.  In 
these  areas  the  aims  have  to  be  couched  in  terms  of  reducing  their  long-term 
probabilities.  To  be  successful,  the  policy  has  to  have  the  positive  support  of 
the  main  board. 

The  management  structure  for  implementing  safety  policies  should  include: 

-  Corporate  Commitment  —  Perhaps  the  most  important  element  in  managing 
health  and  safety  is  that  the  most  senior  level  of  management  and  the  most 
senior  individuals  make  time  and  effort  to  demonstrate  that  health  and 
safety  performance  is  an  important  issue  for  the  company  concerned.  Too 
often  companies  are  willing  to  spend  much  money  on  developing  schemes  but 
do  not  give  them  sufficient  status  to  allow  them  a  chance  of  success.  How 
many  chief  executives  make  time  to  get  involved  in  safety  presentations? 

-  Line  of  Accountability  -  A  line  of  accountability  for  health  and  safety 
performance  must  extend  from  the  board  room  to  the  lowest  level  of 
supervision  within  an  organization.  This  should  embrace  the  activities  of 
contractors.  Circumstances  offshore  demand  that  operators,  in  their 
dealings  with  contractors,  reserve  overall  control  to  themselves. 
Therefore  it  is  necessary  for  the  accountability  line  to  extend  into  the 
organizational  structure  of  contracting  bodies.  Success  is  felt  on 
rigorous  application  of  management  control,  and  each  level  of  management 
should  be  held  accountable  for  health  and  safety  performance.  How  many 
annual  performance  reports  have  a  relevant  section  on  a  person's 
achievements  in  the  field  of  safety?  Particular  attention  should  be  paid 
to  the  links  between  the  management  elements  based  ashore  and  those  that 
are  installation  based,  and  to  the  problems  of  handovers  at  crew  changes 
and  shift  changes. 

-  Safety  Procedures  -  Details  of  the  safety  procedures  to  be  followed  will 
depend  upon  the  identified  hazards,  and  will  include  procedures  for  the 
control  of  safety  critical  activities.  It  goes  without  saying  that 
Permit-to-Work  Schemes  should  cater  for  secure  isolation  of  equipment,  for 
situations  where  more  than  one  task  is  being  carried  out  on  one  piece  of 
equipment,  and  for  shift  change  handovers.  A  more  difficult  question  to 
address  is  when  should  they  be  used.  Certainly  they  should  be  used  to 
control  all  nonroutine  work  activities ,  but  there  may  be  some  routine 
activities  where  the  degree  of  risk  warrants  the  formalized  control 
afforded  by  a  Permit-to-Work  Scheme. 

-  Competence  of  Staff  -  The  management  system  should  align  the  competence 
and  temperaments  of  individuals  to  the  tasks  which  they  are  being  expected 
to  perform.  Information,  training  and  supervision  needs  to  be  according 
to  the  individual  requirements . 

-  Communications  -  Attention  should  be  given  to  establishing  clear 
communication  systems  wherever  these  would  be  of  benefit  to  health  and 
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safety.  Special  care  should  be  taken  with  the  links  between  shifts  and 
between  operators,  their  contractors  and  other  contractors.  Also  the 
benefits  of  having  a  command  center  that  can  be  used  in  emergencies  should 
be  considered. 

—  Emergencies  -  The  operators'  formal  command  organization  which  is  to 
function  in  the  event  of  an  emergency  should  be  defined  and  well 
understood  by  all  concerned.  Emergency  drills  should  be  undertaken 
periodically. 

—  Monitoring  -  It  is  not  sufficient  to  have  written  safety  procedures  that 
deal  with  every  conceivable  set  of  circumstances.  Arrangements  must  be 
made  to  monitor  their  implementation  and  to  report  back  any  shortcomings 
to  the  line  manager  concerned  and  to  senior  management.  Senior  managers 
need  to  know,  and  should  be  very  interested  in  whether  or  not  their  safety 
policies  are  being  implemented.  Unfortunately  there  is  no  easy  calculus 
that  can  be  applied  to  measuring  health  and  safety  standards.  In  lots  of 
situations  the  objective  is  to  reduce  what  is  already  a  very  low  level  of 
residual  risk.  There  are  a  number  of  proprietary  audit  schemes  on  the 
market  which  can  help  with  this  task,  but  there  is  no  reason  why  a  company 
cannot  generate  its  own  system.  A  home-grown  solution  with  all  its 
shortcomings,  but  with  which  people  can  readily  identify  can  often  be  more 
acceptable  than  an  expensive  system  imported  from  outside.  Any  system 
should  incorporate  some  elements  that  compare  what  actually  happens  on  the 
ground  with  what  is  expected  to  happen.  Periodic  thorough  scrutinies  of 
plant  and  operations  can  help  identify  shortcomings. 

8 ,  Summary 

Managing  health  and  safety  costs  time  and  money.  However,  operators  should  make 
realistic  appraisals  of  the  costs  that  are  avoided  and  the  other  benefits  that 
accrue  by  ensuring  good  standards.  Apart  from  the  tragic  loss  of  life,  not  much 
was  left  of  the  Piper  Alpha  platform  following  the  disaster.  There  is  growing 
evidence  to  show  that  health  and  safety  not  only  makes  good  social  sense,  but 
also  good  commercial  sense.  This  becomes  particularly  clear  when  the  property 
damage  costs  that  usually  accompany  accidents  are  added  into  the  equation.  Firm 
control  over  health  and  safety  equates  to  control  over  other  matters  such  as 
quality,  wastages,  manpower  deployment,  and  so  forth,  and  perception  of  control 
of  these  issues  by  outsiders  can  result  in  improved  business  opportunities. 
There  is  much  truth  in  the  adage  that  good  business  is  safe  business  and  safe 
business  is  good  business. 
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LORD  CULLEN'S  REPORT  ON  PIPER  ALPHA:  THE  U.K.  OFFSHORE  INDUSTRY'S  RESPONSE 

Dr.  Harold  Hughes  QBE 
Director-General,  U.K.  Offshore  Operators  Association 

ABSTRACT 

This  paper  describes  the  offshore  industry's  response  in  the  U.K.  to  Lord 
Cullen's  report.  The  centerpiece  of  the  new  approach  to  offshore  safety  will  be 
the  Safety  Case,  which  will  cover  not  only  hardware  but  human  aspects  as  well. 
Lord  Cullen's  recommendations  will  be  implemented  by  the  operating  companies. 
The  U.K.  Offshore  Operators  Association  will  monitor  progress  and  coordinate  the 
industry  studies  necessary  to  support  them. 

1.  Introduction 

The  6th  of  July  1988  is  a  date  ever  to  be  remembered  by  those  in  the  offshore  oil 
and  gas  industry,  certainly  in  the  U.K.,  but  probably  worldwide,  too.  The  Piper 
Alpha  disaster  (the  world's  most  serious  offshore  fire)  started  at  about  10  pm 
that  night.  One  hundred  sixty  seven  men  died,  many  others  were  injured,  and 
survivors  still  suffer  the  after-effects  of  having  lived  through  it. 

The  subsequent  Public  Inquiry,  set  up  immediately  afterwards  by  Government  and 
headed  by  Lord  Cullen,  produced  an  extremely  thorough  analysis  of  the  events  of 
that  night  and  what  preceded  it,  and  (in  its  second  part)  a  review  of  then 
current  offshore  safety  organization  and  approaches,  and,  very  importantly, 
Recommendations  for  the  future.  The  Government  agencies  and  the  offshore  industry 
itself  came  under  the  latter  scrutiny;  the  United  Kingdom  Offshore  Operators 
Association  Ltd.  (UKOOA)  played  the  major  role  in  this  second  part  of  the 
Inquiry,  presenting  37  of  the  64  papers  taken  as  evidence. 

This  paper  describes  the  offshore  industry's  response  in  the  U.K.  to  Lord 
Cullen's  report.  The  Recommendations  of  the  report,  when  fully  enacted,  will 
represent  quite  a  sea-change,  particularly  in  the  regulation  of  safety,  and  the 
organization  within  the  U.K.  Government  of  that  activity.  I  am  afraid  that  I  have 
had  to  refer,  in  this  paper,  to  these  Government  agencies  and  indeed  I  could  not 
consider  the  changes  that  Lord  Cullen's  report  will  engender  without  referring 
to  their  changed  rules  and  responsibilities.  I  think  therefore  I  feel  some  need 
to  apologize  for  getting  into  this  detail  about  the  U.K.  Government  organization, 
but  it  is  a  necessary  component  of  my  paper, 

UKOOA  is  the  industry  body  which  represents  all  (currently  36)  Member  Companies 
who  explore  for  and  produce  oil  and  gas  in  the  North  Sea  and  other  U.K. 
territorial  waters. 

All  UKOOA' s  Member  Companies  have  now  welcomed  Lord  Cullen's  Report,  published 
in  November  1990,  as  signposting  ahead  a  very  clear  path  for  the  further 
improvement  of  the  offshore  safety  regime  in  the  UK.  The  major  change  will  be  in 
the  way  in  which  platform  operators  will  have  to  take  much  more  responsibility 
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themselves  for  demonstrating,  to  a  new  Government  authority,  the  safety  measures 
they  have  provided  on  their  platforms. 

The  centerpiece  of  the  new  approach  will  be  the  Safety  Case,  a  formal  submission 
to  be  made  by  each  Operator,  for  each  platform,  updated  regularly  and  as  platform 
hardware  and  procedures  are  changed.  This  Safety  Case  will  not  only  cover 
hardware  (such  things  as  platform  layout,  provision  of  firewalls,  escape  routes, 
temporary  safe  refuges  and  the  like)  but  human  aspects  such  as  the  capability, 
experience,  and  training  of  management  and  workforce  teams,  the  written 
operational  and  emergency  procedures  and  exercises  to  ensure  competence  in  their 
use,  and  the  safety  support  systems  such  as  onshore  procedures,  helicopter 
availability  round  the  clock,  standby  boats  and  radio  communications.  The  Safety 
Cases,  to  be  developed  for  new  and  (as  soon  as  possible)  for  existing 
installations  will  be  assessed  and  approved  by  a  new  single  offshore  authority  — 
a  new  specialized  Division  to  be  created  within  the  existing  national  Health  and 
Safety  Executive.  The  Chief  Executive  of  the  new  Division,  Mr.  Tony  Barrell,  has 
already  been  appointed  and  will  work  in  the  Department  of  Energy  (the  existing 
Government  authority  principally  concerned)  until  transfer  of  responsibility  is 
effected,  probably  during  April  1991.    (This  transfer  has  now  been  effected.) 

In  parallel  with  the  move  to  the  Safety  Case  approach,  there  will  be  fundamental 
change  in  the  form  of  the  Regulations  governing  offshore  working  and  safety.  The 
current  form  of  these  has  evolved  over  the  years,  from  a  basis  in  the  Mineral 
Workings  Act,  and  amendments  and  additions  have  largely  followed  experience; 
generally  the  form  has  been  prescriptive,  with  the  Department  of  Energy  or  other 
Government  Departments  laying  down  in  often  quite  detailed  form  how  provisions 
shall  be  made.  This  has  led  now  to  offshore  operations  being  governed  by  17  Acts 
of  Parliament,  43  Statutory  Regulations,  63  Operators'  Notices,  148  Safety 
Notices  and  171  Diving  Safety  Memoranda;  not  all  these  have  statutory  force,  but 
are  usually  taken  so.  This  general  approach  led  to  a  process  of  exemption, 
because  the  approach  could  not  keep  up  with  the  emerging  technology  of  new 
platforms;  worse,  Operators  were  tempted  to  believe  that  if  they  complied  with 
all  these  sets  of  rules,   their  platforms  were  necessarily  safe. 

All  this  is  now  to  be  swept  aside  in  favor  of  the  Safety  Case,  supported  by  a  new 
limited  range  of  Regulations  which  instead  of  being  prescriptive  will  be 
objective-setting.  In  other  words,  they  will  set  safety  goals.  It  will  be  up  to 
Operators,  through  their  Safety  Cases,  to  demonstrate  how  these  goals  are  being 
achieved  for  each  platform.  A  very  small  number  of  prescriptive  rules  will  remain 
but  only  in  narrowly  defined  areas,  such  as  the  numbers  of  lifeboats  to  be 
provided.  This  path,  to  goal-setting  regulation,  is  one  already  being  followed 
by  the  Norwegian  offshore  safety  authority,  and  it  parallels  the  approach  used 
since  1984  onshore  in  the  U.K. ,  although  the  Safety  Case  approach  recommended  by 
Lord  Cullen  goes  somewhat  beyond  those  onshore  requirements. 

UKOOA  welcomes  these  developments  -  indeed  they  correspond  with  the 
recommendations  UKOOA  made  in  its  evidence  to  Lord  Cullen' s  Public  Inquiry.  But 
before  the  Inquiry  had  even  started.  Member  Companies  had  commenced  to  analyze 
for  themselves  the  first  lessons  of  the  awful  tragedy  and  had  started  the 
engineering  of  hardware  improvements  which  were  largely  completed  offshore  in  the 
weather-windows  of  the  summers  of  1989  and  1990.  A  dreadful  component  of  the 
tragedy  was  the  burning  of  pipeline  inventory  on  the  Piper  Alpha  platform,  and 
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so  the  industry  has  spent  about  $500  million  repositioning  over  150  emergency 
shut-off  valves  on  platforms,  and  some  $700  million  providing  further  sub-sea 
remote  shut— off  valves  in  carefully  selected  instances.  On  Piper  Alpha,  smoke  was 
clearly  an  even  greater  hazard  to  escape  than  had  been  thought,  and  the  industry 
has  spent  about  $500  million  improving  emergency  walkways  and  their  lighting  and 
signing,  and  on  preventing  the  entry  of  smoke  into  accommodation  units  used  as 
temporary  refuges . 

This  expenditure  has  gone  a  long  way  to  meeting  in  advance  some  of  Lord  Cullen's 
106  Recommendations,  but  clearly  much  has  to  be  done  both  by  Government  and  the 
industry  over  the  next  2-3  years  to  enact  them  fully.  Safety  Case  approaches  are 
already  in  use  in  UKOOA's  major  companies  but  their  use  has  to  be  made  universal, 
and  the  inventory  of  over  150  existing  platforms  subjected  to  this  rigorous 
approach.  Availability  of  skilled  technical  resources  will  be  a  limiting  factor, 
and  UKOOA's  Member  Companies  will  have  to  undertake  training  programs  to  ensure 
these  Safety  Cases  can  be  done  where  they  need  to  be  done  —  in  house. 

Other  Recommendations,  dealing  with  the  design  and  capability  of  standby  boats 
and  the  standards  applying  on  contract  drilling  rigs,  for  example,  will 
necessitate  close  cooperation  with  other  sectors  of  the  industry  and  these 
contacts  are  already  being  strengthened. 

The  world's  worst  offshore  tragedy  seems  now  likely  to  lead  to  the  development 
of  an  offshore  safety  regime  which  will  be  a  model  for  the  development  of  new 
offshore  production  regimes  the  world  over. 

This,  then,  is  effectively  a  summary  of  the  overall  position  that  the  industry 
has  taken  up  following  the  publication  of  the  Report.  I  should  like  now,  as  time 
permits,  to  go  into  somewhat  more  detail  concerning  some  of  the  specific 
Recommendations  and  related  matters. 

1.1.     Emergency  Shutdown  Valves 

Fire  and  explosion  are  major  hazards  offshore  and  if  an  accident  does  happen 
which  results  in  a  fire,  the  first  priority  is  to  contain  its  impact  by  shutting 
off  the  supply  of  fuel.  Even  before  Piper  Alpha,  pipelines  were  fitted  with 
emergency  shutdown  valves  which  isolated  the  pipeline  contents  in  the  event  of 
fire,  but  as  I  have  said,  the  experience  of  Piper  Alpha  showed  that  the  precise 
location  of  a  valve  can  be  critical.  A  properly  located  and  protected  emergency 
shutdown  valve  provides  a  secure  first  line  defense  against  the  uncontrolled 
release  of  the  pipeline  contents.  The  advantage  of  an  emergency  shutdown  valve 
located  above  the  water  is  that  it  remains  accessible  for  inspection,  testing  and 
maintenance . 

In  the  last  two  years,  companies  have  checked  the  location  of  over  400  emergency 
shutdown  valves  and  have  repositioned  over  150  of  them.  Where  appropriate, 
additional  protection  from  fire  and  falling  debris  is  being  provided. 

1.2      Subsea  Isolation  Systems 

In  special  circumstances,  for  example  where  large  diameter  gas  pipelines  are 
present,   the  installation  of  subsea  isolation  systems  can  provide  protection 
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against  the  failure  of  the  platform  emergency  shutdown  valve  or  of  the  pipeline 
riser  itself.  This  double  protection  would  ensure  that  an  accident  on  the 
platform,  which  is  severe  enough  to  damage  the  platform  emergency  shutdown  valve 
or  the  pipeline  riser,  does  not  escalate. 

Prior  to  Piper  Alpha,  10  subsea  isolation  systems  had  been  installed  in  the  North 
Sea.  Since  Piper  Alpha,  operators  have  been  carrying  out  safety  assessments  to 
determine  priorities  for  the  installation  of  further  subsea  isolation  systems. 
As  a  result  of  these  assessments  a  further  67  systems  have  been  installed  at  a 
cost  of  over  $700  million. 

1.3  Smoke  Hazard 

Smoke  proved  to  be  a  major  hazard  on  Piper  Alpha  and  Operators  have  been  and  are 
looking  closely  at  how  smoke  could  hinder  evacuation  and  how  its  effects  could 
be  mitigated.  Smoke  is  inevitably  formed  during  a  hydrocarbon  fire  but  its 
ingress  into  the  accommodation  module  can  be  prevented  and  additional  personnel 
protection  provided.  For  example,  where  they  are  not  already  provided,  companies 
are  fitting  smoke  detectors  in  the  air  intake  ducts  of  accommodation  modules  to 
ensure  that  the  smoke  dampers  shut  automatically  as  soon  as  smoke  is  detected. 

Offshore  installation  fire  fighting  teams  are  trained  in  the  use  of  breathing 
apparatus,  but  in  addition,  consideration  is  being  given  to  the  provision  of 
easily  portable  smoke  hoods  for  all  offshore  personnel.  These  could  provide 
protection  for  a  vital  few  minutes  in  smoke  conditions.  In  December  1989,  UKOOA 
and  the  Department  of  Energy  commissioned  a  joint  study  at  Aberdeen  University 
to  develop  a  standard  for  smokehoods  suitable  for  use  offshore.  We  expect  this 
standard  to  be  available  in  1991.  A  number  of  companies  have  provided  currently 
available  smokehoods  as  an  interim  measure;  others  are  waiting  until  the  offshore 
standard  is  available. 

1.4  Evacuation  and  Escape 

If,  as  a  last  resort,  a  platform  has  to  be  evacuated,  reliable  means  to  do  so 
safely  must  be  readily  available. 

Helicopters  are  the  most  convenient  way  of  evacuating  an  installation  but  in 
addition  every  platform  has  its  own  dedicated  evacuation  system  which  is 
completely  independent  of  external  help.  The  platform  lifeboats  provide  the 
primary  means  of  evacuation.  They  are  totally  enclosed  and  self-propelled  to 
assist  them  to  clear  the  platform  safely  after  launching. 

Escape  routes  are  provided  from  every  part  of  the  platform  to  the  helideck  and 
the  lifeboats.  The  main  requirement  for  escape  routes  is  that  there  must  be  more 
than  one  way  of  escape  available  from  any  particular  part  of  the  platform. 
Companies  are  providing  further  improvements,  for  example  the  installation  of 
heat  shielding  and  improved  lighting  which  is  self  contained  and  needs  no 
external  power  supply.  More  use  is  being  made  of  floor  level  photoluminescent 
strips  which  remain  visible  in  poor  light. 

Piper  Alpha  has  also  made  the  industry  more  aware  of  the  need  for  secondary 
evacuation  systems  to  cope  with  the  situation  where  some  personnel  may  not  be 
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able  to  get  to  the  helideck  or  lifeboats.  The  industry  uses  a  range  of  devices, 
including  knotted  ropes,  ladders,  extending  steps,  nets  and  abseiling  equipment. 
Every  installation  is  different  and  new  ideas  which  are  emerging  must  be  tested 
to  make  sure  that  they  do  not  create  new  problems  in  use. 

Information  on  these  new  methods  of  escape  is  exchanged  between  Member  Companies 
at  the  UKOOA  Safety  Committee  meetings  which  are  held  monthly,  and  the  joint 
UKOOA/Department  of  Energy  Emergency  Evacuation  Committee  reviews  new  methods  on 
behalf  of  the  industry. 

It  is  difficult  to  determine  exactly  how  much  all  these  general  safety 
enhancements  will  cost,  because  they  normally  form  an  integral  part  of  the 
detailed  engineering  of  the  platform  equipment,  but,  using  information  obtained 
from  Member  Companies,  it  is  estimated  that  offshore  operators  have  spent  nearly 
$2,000  million  on  safety  related  hardware  including  emergency  shutdown  valves  and 
subsea  isolation  systems. 

1.5      Permit  to  Work  System 

The  Permit  to  Work  System  (PTW)  is  one  of  the  foundations  of  safe  working  and 
accident  prevention  and  is  employed  throughout  the  petroleum  industry,  both 
onshore  and  offshore.  Individual  operators  design  their  own  PTW  systems  based  on 
Guidelines  published  by  the  Oil  Industry  Advisory  Committee  (OIAC)  which 
comprises  representatives  from  the  oil  industry,  the  Health  &  Safety  Executive, 
the  Department  of  Energy,  and  the  Trades  Unions. 

The  OIAC  Guidelines  are  being  revised  following  Piper  Alpha  to  incorporate  the 
lessons  learned  and  UKOOA  Member  Companies  have  increased  their  efforts  to  audit 
their  PTW  procedures  to  check  that  they  comply  with  the  best  industry  practice 
and  are  being  followed  on  all  occasions. 

2.         Fonnal  Safety  Assessment  (FSA) 

What  I  have  said  so  far  represents  a  conscientious  and  rapid  response  by  a 
responsible  industry  to  a  major  disaster.  Our  objective  is  to  create  and  maintain 
a  safe  environment  offshore,  recognizing  the  hazardous  nature  of  our  business. 
But  there  is  a  risk  that  this  reaction  to  experience,  however  thoroughly  carried 
out,  will  result  in  a  piecemeal  rather  than  comprehensive  improvement  in  safety. 
If  we  are  to  convince  ourselves  in  the  industry,  and  those  outside  it,  that  the 
likelihood  of  another  major  disaster  has  really  been  reduced  to  an  acceptable 
level  then  something  more  is  required. 

In  its  recommendations  to  Lord  Cullen,  UKOOA  reaffirmed  its  previously  held 
conviction  that  the  prime  responsibility  for  the  safety  of  an  offshore 
installation  must  remain  with  the  operating  company.  UKOOA  proposed  that  the 
present  prescriptive  regulations,  promulgated  under  the  Minerals  Workings 
(Offshore  Installations)  Act  1971,  should  be  gradually  phased  out  and  replaced 
with  objective  goal-setting  regulations,  which  would  require  Operators  to 
demonstrate  the  safety  of  each  installation  by  carrying  out  a  Formal  Safety 
Assessment  (FSA)  similar  to  that  required  for  onshore  installations  under  the 
Control  of  Industrial  Major  Hazards  Regulations  (CIMAH)  .    UKOOA  believes,  and  has 
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for  some  time,  that  the  introduction  and  use  of  FSA  represents  the  best  way 
forward  for  the  offshore  industry  to  enhance  safety  and  prevent  disasters  like 
Piper  Alpha. 

FSA  has  many  advantages  compared  with  the  current  regulatory  regime.  It  is 
flexible  and  can  take  account  of  different  types  of  installation.  There  are  over 
150  existing  offshore  installations,  fixed  and  floating,  extending  from  the 
shallow  waters  of  the  southern  North  Sea  to  the  deeper  water  found  in  the  central 
and  northern  North  Sea.  Some  produce  gas,  some  oil  and  some  oil  and  gas.  Some  are 
small,  with  only  a  handful  of  personnel  or  even  not  normally  manned,  others  are 
large  with  hundreds  of  personnel  on  board.  Prescriptive  regulations  cannot 
adequately  cover  this  diversity  of  installations,  except  by  a  legal  exemption 
process  used  at  the  discretion  of  the  Secretary  of  State. 

By  its  very  nature,  FSA  encourages  management  thought,  innovation  and  the 
introduction  of  improved  safety  techniques.  Rigid  regulation  tends  to  lock  safety 
into  yesterday's  technology.  For  example,  free-fall  lifeboats  do  not  meet  the 
requirements  of  current  UK  regulations. 

FSA  does  not  dictate  to  the  Operator  how  safety  should  be  achieved,  for  example, 
by  specifying  the  strength  of  fire  walls  or  the  amounts  of  fire  water  to  be 
deployed.  Therefore  the  most  appropriate  provisions  for  each  individual 
installation  can  be  used  rather  than  the  detailed  and  wholesale  requirements 
prescribed  in  the  current  form  of  regulations. 

FSA  puts  the  spotlight  on  the  Operator.  It  focuses  on  his  responsibility  to 
create  and  maintain  a  safe  place  of  work.  Prescriptive  regulations  provide  the 
wrong  sort  of  prop  for  the  Operator  -  if  he  complies  with  the  regulation  he  may 
feel  that  he  is  "legally  safe". 

3.         The  Safety  Case 

UKOOA  is  committed  to  the  Safety  Case  approach.  Most  of  the  new  installations 
designed  in  the  1980 's  have  used  safety  case  methods.  The  UKOOA  procedure  on 
Formal  Safety  Assessment,  which  has  been  issued  to  every  company,  will  assist  in 
harmonizing  the  scope  of  the  safety  cases  prepared  for  all  installations 
including  existing  ones.  The  preparation  of  safety  cases  for  all  prior  existing 
installations  is  an  enormous  challenge  and  will  take  time  to  implement. 

When  CIMAH  (Control  of  Major  Industrial  Accident  Hazards)  Regulations  were 
introduced  in  the  U.K.  onshore  in  1984,  the  Health  &  Safety  Executive  allowed  5 
years  for  their  implementation.  UKOOA  believes  that,  taking  into  account  the  work 
done  already,  the  task  offshore  should  be  completed  in  2  to  3  years.  One 
advantage  of  the  safety  case  is  that  it  enables  major  hazards  to  be  identified 
early  and  therefore  priorities  can  be  established  for  remedial  actions.  This 
means  that  any  safety  improvements  can  be  implemented  while  the  safety  case  is 
being  completed. 

To  the  extent  that  the  preparation  of  the  safety  case  will  require  the  use  of 
quantitative  risk  assessment  techniques,  UKOOA  has  recognized  that  updated  and 
improved  data  bases  will  be  an  essential  prerequisite  of  the  assessment.  As  a 
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first  step  in  upgrading  the  information  available  to  the  industry,  UKOOA 
conunissioned  a  study  "The  Update  of  Loss  of  Containment  Data  for  Offshore 
Pipelines"  which  is  expected  to  be  published  by  HMSO  in  1991.  The  data  base 
covers  subsea  pipelines  and  associated  incidents  through  the  North  Sea  up  to  the 
end  of  1989  and  was  compiled  with  the  assistance  of  operating  companies  and  the 
regulatory  authorities'  departments  with  North  Sea  oil  and  gas  interests.  We  are 
now  going  on  to  develop  a  database  on  incidents  involving  offshore  cranes. 

An  essential  ingredient  of  a  safety  case  is  the  company's  Safety  Management 
System  (SMS).  According  to  Lord  Cullen,  the  safety  case  should  demonstrate  that 
the  SMS  of  the  company  and  that  of  the  installation  are  adequate  to  ensure  that 
(a)  the  design,  and  (b)  the  operation  of  the  installation  and  its  equipment  are 
safe.  The  SMS  should  be  in  respect  of  (a)  the  design  (both  conceptual  and 
detailed)  of  the  Operator's  installations;  and  (b)  the  procedures  (both 
operational  and  emergency)  of  those  installations.  In  the  case  of  existing 
installations  the  SMS  in  respect  of  design  should  be  directed  to  its  review  and 
upgrading  so  far  as  that  is  reasonably  practicable. 

The  SMS  should  set  out  the  safety  objectives,  the  system  by  which  these 
objectives  are  to  be  achieved,  the  performance  standards  which  are  to  be  met  and 
the  means  by  which  adherence  to  these  standards  is  to  be  monitored.  UKOOA 
endorses  Lord  Cullen' s  recommendation  that  in  the  formulation  of  their  SMS, 
Operators  should  draw  on  the  principles  of  quality  assurance  similar  to  those 
contained  in  the  British  Standard  BS  5750  and  International  Standards 
Organization  150  9000. 

To  implement  successfully  these  fundamental  changes  in  the  way  offshore  safety 
is  to  be  administered  and  managed  will  require  a  dedicated  and  concerted  effort 
by  the  Government,  the  Health  &  Safety  Executive  and  the  offshore  industry  all 
working  together.  UKOOA  is  keen  and  ready  to  play  a  full  part  in  this  challenging 
future . 


4.        Safety  Coimiiittees  and  Safety  Representatives 

Above  all,  offshore  safety  is  about  the  people  who  work  offshore.  Whether  they 
are  employed  by  contractors  or  by  oil  companies,  whether  they  belong  to  trades 
unions  or  not,  it  is  essential  that  the  whole  workforce  is  committed  to  and 
involved  in  safe  operations. 

UKOOA  believes  that  each  individual  has  a  vital  role  to  play  in  safeguarding 
himself  or  herself,  and  others.  There  is  no  place  for  artificial  distinctions 
between  contractors  and  oil  company  employees. 

All  must  be  trained  to  work  safely,  to  understand  their  responsibilities  and  to 
be  confident  that  they  will  be  listened  to  when  they  raise  a  safety  issue  either 
directly  with  their  management  or  through  their  safety  committee. 

The  Offshore  Installations  (Safety  Representatives  &  Safety  Committees) 
Regulations  1989  stipulate  that  every  employee  offshore  has  the  right  to  freely 
elect  (or  to  be  elected  as)  a  safety  representative.  This  is  different  from  the 
situation  onshore  in  the  U.K.  where  safety  representatives  are  appointed  by  a 
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recognized  trades  union.  Lord  Cullen  recognized  the  merit  and  democratic  basis 
of  the  present  offshore  regulations  and  endorsed  the  intention  to  review  them 
after  two  years'  experience. 

UKOOA  accepts  Lord  Cullen' s  recommendations  that  the  training  of  safety 
representatives  should  be  determined  by  and  paid  for  by  the  Operator.  This  should 
further  enhance  the  effectiveness  of  offshore  safety  committees. 

5.  Command  in  Emergencies 

Lord  Cullen  highlighted  the  need  for  a  formal  emergency  command  organization 
which  should  form  part  of  the  Safety  Management  System  (SMS).  In  the  U.K.  the 
Offshore  Installation  Manager  (OIM)  is  in  charge  of  his  installation  and  is 
responsible  for  taking  control  of  an  emergency.  The  Operator's  criteria  for 
selection  of  OIMs,  and  in  particular  their  command  ability,  will  form  part  of  the 
SMS.  UKOOA  is  working  with  the  Offshore  Petroleum  Industry  Training  Organization 
(OPITO)  to  determine  competency  criteria  for  OIMs.  It  is  recognized  that  greater 
attention  will  have  to  be  given  to  determining  selection  criteria  and  appropriate 
leadership  and  management  training  for  OIMs . 

Lord  Cullen  recommended  that  there  should  be  a  system  of  emergency  exercises 
which  provides  OIMs  with  practice  in  decision  making  in  emergency  situations, 
including  decisions  on  evacuation.  OIMs  and  their  deputies  should  participate 
regularly  in  such  exercises.  We  are  also  looking  at  the  transfer  of  naval 
experience  to  the  industry  to  improve  its  command-in-emergency  response. 

6.  Conclusions 

In  conclusion,  UKOOA  reaffirms  that  safety  remains  the  first  priority.  Lord 
Cullen' s  recommendations  will  be  implemented  by  the  operating  companies.  UKOOA 
will  monitor  progress  and  coordinate  the  industry  studies  needed  to  support  them. 
There  is  no  doubt,  however,  that  Lord  Cullen' s  report  will  influence  offshore 
safety  throughout  the  world. 


28 


RISK  AND  RELIABILITY  MANAGEMENT  IN 
U.S  OFFSHORE  OIL  AND  GAS  OPERATIONS 


R.  L.  McGannon 
Vice  President,  Chevron  Corporation 

ABSTRACT 

Chevron  Corporation's  efforts  in  risk  and  reliability  management  are  discussed. 
The  first  task  is  to  understand  the  risks  to  people,  the  environment,  and 
facilities.  Management  of  the  risks  involves  efforts  in  the  areas  of  training, 
contingency  measures,  operating  procedures,  design,  inspection,  and 
maintenance/repair.  Future  directions  are  then  outlined.  These  include  the 
development  and  application  of  quality  improvement  strategies  and  tools,  the 
application  and  evaluation  of  formalized  risk  management  procedures,  including 
Hazard  and  Operability  Studies,  quantitative  risk  assessments,  and  comparative 
risk  assessments  for  the  evaluation  of  alternative  concepts  and  systems  for  deep- 
water  development.  The  discussion  is  focused  on  Chevron's  operations  in  the  Gulf 
of  Mexico. 


1 .  Introduction 

The  entire  industry  has  a  responsibility  to  continuously  improve  its  offshore 
safety  record.  At  Chevron  our  highest  priority  is  the  safety  of  our  employees, 
the    public,    and    the    environment.  Workshops    such    as    this    provide  good 

opportunities  for  representatives  from  industry  and  government  to  share 
experience  and  exchange  information. 

I  appreciate  this  opportunity  to  discuss  some  of  Chevron's  efforts  in  risk  and 
reliability  management.  Today  I  will  be  focusing  on  Chevron's  operations  in  the 
Gulf  of  Mexico  (COM)  rather  than  the  United  States  industry  in  general. 

We  appreciate  the  guidance  and  working  relationships  with  governmental  agencies 
such  as  the  Minerals  Management  Service  (MMS) ,  the  U.S.  Coast  Guard,  the  Canada 
Oil  and  Gas  Lands  Administration,  and  the  Petroleum  Division  of  the  U.K. 
Department  of  Energy  to  improve  safety  offshore. 

We  shouldn't  forget  that  the  offshore  industry  is  a  vital  part  of  the  overall 
U.S.  petroleum  production.  In  fact,  oil  is  literally  the  life  blood  of  our 
economy:  more  than  75  percent  of  all  our  nation's  energy  comes  from  oil  and  gas, 
and  the  transportation  section  is  97  percent  dependent  on  oil.  I'm  sure  you  are 
aware  that  one  out  of  every  two  barrels  of  oil  this  nation  needs  comes  from 
foreign  sources.  So,  that's  why  safe,  environmentally  sensitive  exploration  and 
development  —  especially  in  the  offshore  —  is  so  very  critical  to  our  nation's 
economic  security. 

Chevron  has  offshore  operations  worldwide,  in  Indonesia,  Africa,  China,  and  the 
North  Sea,  in  addition  to  our  domestic  operations.  Our  total  offshore  operated 
production  is  about  900,000  barrels  per  day  of  oil  and  condensate,  and  about  3 
billion  cubic  feet  of  gas  per  day.  We  are  the  largest  offshore  operator  in  U.S. 
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waters,  producing  about  200,000  barrels  of  oil  and  condensate,  and  2  billion 
cubic  feet  of  gas  per  day  from  1200  offshore  installations  in  the  Gulf  of  Mexico. 
That's  about  19%  of  total  GOM  production. 


ig  the  Risks 


2 . 0        Understanding  the  Risks 


Offshore  production  involves  risks  to  our 
people,  to  the  environment,  and  to  our 
facilities.  I  will  spend  a  little  time 
putting  each  of  these  in  perspective. 


2.1  Risks  to  our  People 

There  are  many  inherent  risks 
associated  with  offshore 
operations.  Helicopter  and  boat 
transportation  is  necessary; 
cranes  are  in  frequent  use; 
there  are  nvimerous  stairs, 
ladders  and  metal  decks;  and  we 
work  with  heavy  equipment,  high 
pressure  wells  and  process 
equipment,  and  flammable  fluids. 


OSHA  RECORDABLE    ! NJURY  RATE 

INCIDENTS  PER  200,000  HOUOS  EXPOSURE 
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□     OFFSHORE  ON-JOa  +     OFFSHORE  OFF-JOB 


1990  was  our  best  safety  year  since  we  began  Gulf  of  Mexico  operations.  We 
received  15  American  Petroleum  Institute  (API)  Accident  Prevention  Awards  for  a 
combined  total  of  14.5  million  hours  without  a  lost-time  injury.  The  MMS  awarded 
Chevron  USA  its  Safety  Award  for  Excellence  for  "outstanding  production 
operations"  on  eight  platforms  in  Ship  Shoal  Blocks  107/108.  We  reduced  our  on- 
the-job  Occupational  Safety  and  Health  Administration  (OSHA)  recordable  injury 
rate  to  1 . 2  incidents  per  200,000  hours  worked,  and  our  off-the-job  rate  to  2.4. 

This  excellent  performance  attests  to  the  dedication  and  commitment  of  all  our 
people.  Safety  is  an  integral  part  of  every  job.  Our  people  watch  out  for  each 
other  and  take   great  pride   in  their  significant  safety  accomplishments.  We 
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continuously  strive  to  improve  our  record, 

A  drug  and  alcohol  program  is  applicable  to  our  offshore  employees.  As  part  of 
this  program,  employees  must  submit  to  random  testing.  Our  employees  are  highly 
supportive  of  this  program. 

2 . 2  Risks  to  the  Environment 

As  an  industry  we  are  making  a  concerted  effort  to  reduce  the  risk  of  spills,  and 
to  be  able  to  better  respond  should  one  occur.  The  oil  industry  sponsored  Marine 
Spill  Response  Corporation  (MSRC)  will  spend  about  $800  million  over  the  next 
five  years,  purchasing  response  vessels  and  barges,  providing  training, 
supporting  R&D,  and  employing  about  400  people.  This  will  improve  our 
effectiveness  in  dealing  with  oil  spills. 

Beyond  our  participation  in  MSRC,  Chevron  assembled  an  in-house  Oil  Spill 
Response  Task  Force  to  enhance  our  prevention,  preparedness,  and  response 
capabilities.  Through  this  effort  we  determined  the  two  most  likely  causes  of 
an  offshore  oil  spill  are,  first,  corrosion  and  erosion  in  hydrocarbon  handling 
equipment  and  pipelines,  and,  second,  human  error.  We  are  working  to  strengthen 
programs  in  both  areas. 

This  task  force  effort  involved  over  100  employees  from  30  different  operating 
companies  and  staff  organizations.  At  the  1991  International  Oil  Spill 
Conference,  held  in  San  Diego  earlier  this  month.  Chevron  presented  the  programs 
developed  and  actions  taken  by  our  Oil  Spill  Response  Task  Force. 

A  recent  study  by  CM.  Anderson 
and  R.P.  LaBelle^  of  the  MMS 
shows  that  since  the  mid-70s 
the  industry  has  been  steadily 
improving  its  spill  prevention 
performance  for  platforms  and 
pipelines.  The  industry's 

current  spill  occurrence  rates, 
for  significant  spills,  have 
dropped  by  about  70%  since 
1976.  On  average,  the  industry 
now  produces  and  transports 
about  1.5  billion  barrels 
between  significant  spills. 

2.3  Risks  to  our  Facilities 

One  of  the  risks  to  the 
industry's  offshore  facilities 
in  the  COM  is  hurricanes.  To 
date,  38  platforms  have  failed  due  to  storm  loading^.  Platform  evacuations  have 
averted  both  fatalities  and  severe  injuries.  Approximately  15,000  barrels  of  oil 
have  been  spilled  as  a  result  of  platform  failures,  compared  to  more  than  7 
billion  barrels  produced  between  1964  and  1987'^.  The  next  figure  shows  the 
percentage  of  failures  due  to  hurricanes  between  1955  and  1990. 
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PLATFORM  FAILURE  RATE  DUE  TO  HURRICANES 

PERCENT  FAILURES  BT  TEAR 


2.4 


We  have  a  good  idea  why  the 
platforms  failed.  Prior  to 
1966  most  platforms  were 
designed  for  25  year  return 
period  waves.  Following 
fourteen  platform  losses  from 
hurricane  Hilda  in  1964,  and 
eight  more  from  Betsy  in  1965, 
operators  began  using  the  more 
stringent  100  year  storm  design 
condition . 


In  1969,  the  first  recommended 
practice  for  design  was 
published  (API  RP  2A)  .  By  that 
time  most  operators  used  the 
100  year  design  condition. 
Since  then,  most,  if  not  all 
storm  induced  failures,   appear  '        .  ^  ' 

to    have    been    due    to  either 

conditions  not  accounted  for  in  design  (such  as  mud  slides) 
or  the  inadequacies  of  the  25  year  storm  design  platforms. 


poor  maintenance, 


Chevron  has  traditionally  favored  conservative  designs  for  offshore  platforms. 
Fortunately,  during  our  early  days  offshore  we  had  a  highly  capable,  far-sighted 
manager  of  offshore  design  and  construction  who  accounted  for  risk  in  his 
platform  designs.  Let  me  quote  from  a  paper  he  wrote:  "Many  industries  would, 
and  do,  willingly  pay  more  than  3%  of  the  cost  of  an  investment  for  insurance 
against  hazards  of  smaller  magnitude  and  better  known  mathematical  probability 
than  those  encountered  in  hurricanes  in  the  Gulf  of  Mexico.  For  this  reason. 
Chevron  structures  have  been  designed  to  withstand  greater  wave  and  wind  loads 
than  most  other  operators  assume  in  the  design  of  structures  for  the  Gulf  of 
Mexico.... If  any  structures  can  survive  the  full  brunt  of  a  hurricane,  I  feel 
confident  that  Chevron's  structures  will  be  among  them."'' 


That  was  written  in  1952 ...  nearly  four  decades  ago... by  Paul  Besse, 
right.     None  of  the  38  platforms  that  failed  were  Chevron  platforms. 


He  was 


3 .        Managing  the  Risks 

Now  I  would  like  to  move  from  understanding  to  managing  risk.  It  is  hard  to 
devise  a  satisfactory  breakdown  of  risk  management  methods.  One  such  breakdown 
is  given  in  API  RP  750  -  Management  of  Process  Hazards,  which  includes  items  such 
as  management  of  change,  investigation  of  process  related  incidents,  and  audit 
of  process  hazards  management  systems. 

These  are  valid  procedures,  but  we  will  consider  them  to  fall  under  the  six  broad 
headings  listed  here.  Training,  contingency  measures,  operating  procedures, 
design,  inspection,  and  maintenance.  These  are  the  methods  we  rely  on  to  control 
risk. 
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We  regard  effective  personnel 
training  to  be  the  most  important 
method  to  manage  risk.  At  our 
Gulf  of  Mexico  Training  Center  in 
Lafayette,  LA,  our  production 
personnel  receive  hands-on 
training  in  all  aspects  of 
production  operations.  The 
facility  includes  a  production 
platform  simulator  utilizing 
t3rpical  production  equipment, 
including  two  wellheads  complete 
with  operative  surface-controlled 
subsurface  safety  valves,  test 
and  bulk  separators  .and  oil  and 
gas  measuring  devices. 


Eighteen  months  ago  we  started  a  program  for  our  newly  hired  operations  and 
mechanical  personnel.  The  30-month  program  contains  three  phases:  classroom 
training,  on-the-job  training,   and  independent  study. 

We  begin  with  five  weeks  of  classroom  training  at  the  Lafayette  facility, 
scheduled  at  intervals  during  the  employee's  first  15  months  with  Chevron.  The 
first  week  deals  with  safety  issues;  subsequent  classes  teach  basic  job  skills. 

Then,  during  on-the— job  training,  experienced  offshore  instructors  re-teach  the 
classroom  material  in  the  work  environment. 


The  last  phase  —  independent  study  —  is  also  done  on  the  job.  Employees  are 
provided  manuals  and  two  hours  per  day  to  master  skills  needed  for  qualification 
under  MMS  training  requirements.  This  certifies  them  for  positions  of  operating 
responsibility  on  Outer  Continental  Shelf  (OCS)  leases. 

One  of  the  functions  of  Chevron's  Drilling  Technology  Center  is  to  certify  its 
drilling  representatives  and  engineers  in  well  control  under  MMS  guidelines.  Our 
classroom  instruction  time  exceeds  the  minimum  required  by  the  MMS  to  fully  equip 
Chevron  personnel  to  handle  all  types  of  well-control  problems. 
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At  the  Drilling  Technology  Center,  we  give 
personnel  a  fundamental  understanding  of  what 
causes  kicks  and  teach  them  specific  procedures  for 
controlling  wells.  Our  people  receive  considerable 
training  on  state-of-the-art,  computer-based  well- 
control  simulators.  They  also  have  the  opportunity 
to  circulate  a  nitrogen  gas  bubble  from  an  existing 
well  at  the  center  using  the  conventional  land 
drilling  rig  shown  here. 

3.2      Contingency  Measures 


One  of  the  ways  we  control  risk 
to  personnel  and  to  the 
environment  is  by  evacuating 
platforms  and  shutting-in 
production  in  the  event  of 
hurricanes.  For  Chevron's  COM 
operations,  this  means  evacuating 
about  2,600  employees  and 
contractors.  To  make  timely, 
appropriate  evacuation  decisions, 
we  need  the  best  hurricane 
information  available. 


To  get  this,  we  worked  with  a 
contractor  to  expand  a  Navy  model 

for  hurricane  risk  prediction.  The  model  permits  Chevron  to  generate  plots, 
showing  the  earliest  time  to  expect  winds  of  a  specified  magnitude,  and  giving 
a  particular  confidence  level.  This  is  important  because  we  wish  to  avoid  flying 
helicopters  in  winds  over  45  knots  during  hurricane  evacuation. 


^  Managing  the  Risks 

a  Training  gnMM 
*  Contingency  h^easures  H|H|| 
■  Operating  Procedures  H^^^^H 

■  Design  hI^^^H 

■  Inspection  i^^^^^^F 

The  program  uses  both  a  historical  hurricane  database  and  a  forecast  error 
database  along  with  a  forecast  simulation  program  and  the  real-time  National 
Hurricane  Center  (NHC)  forecast.  This  way  we  can  supplement  the  vital 
information  supplied  by  the  NHC  with  past  forecasting  experience. 

The  decision  to  evacuate  remains  a  judgment  call,  but  we  find  that  the  program 
provides  good  confirmation  of  that  judgment. 


While  the  use  of  helicopters  for  hurricane 
evacuation  is  an  important  safety  precaution,  we 
must  recognize  that  helicopter  transportation 
brings  its  own  risks.  Chevron  Aircraft  Operations 
has  an  outstanding  safety  record.  Our  Federal 
Aviation  Administration  (FAA)  recordable  incident 
rate  for  the  last  five  years  is  less  than  one  for 
every  one  million  departures.  The  Gulf  Coast 
average  of  about  six  per  million  compares  very 
favorably  with  the  U.S.  helicopter  average  of  about 
26.    Since  1988,  our  Aircraft  Operations  has  received  six  API  Accident  Prevent 
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Awards  and  two  FAA  Spirit  of  Safety  Awards. 

We  attribute  our  success  to  our  safety  precautions,  maintenance  operations, 
management  support,  and,  most  importantly,  our  people. 


3.3      Operating  Procedures 


Several  years  ago  Chevron 
suffered  a  brief  series  of 
unfortunate  crane  and  rigging 
accidents.  During  a  broad  review 
of  Coast  Guard,  MMS ,  and  industry 
reports,  we  found  (in  an  MMS 
industry-wide  report)  that  in  50 
reported  crane  accidents  from 
1971-1983  there  were  37 
fatalities  and  26  serious 
^.  Just  one  of  these  50 
involved  Chevron 


injuries 
accidents 
personnel . 
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Chevron  organized  an  employee 
task  force   to  examine  crane  and 
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rigging  operations  and  develop  guidelines  for  improving  our  performance 
task  force  made  recommendations  regarding  crane  operations  and  rigging,  crane 
inspection  and  maintenance,  crane  equipment,  and  training. 


Chevron's  Crane  and  Rigging  Program  has  been  in  place  since  February  1987,  and 
we  have  not  had  one  reportable  crane— related  injury  since  that  time. 


3.4  Design 


Managing  the  Ri 

*  Training  ■ 
s  Contingency  Measures 
«  Operatinp  P:aCiMi~'e^> 
ii  Design 


Proper  design  is  essential  to 
reducing      risk.  There  are 

primarily  two  ways  in  which  we 
control  risk  through  design: 
design  codes  and  Chevron 
standards . 

Many  major  operating  companies 
take  an  active  role  in  developing 
and  revising  API  recommended 
practices  related  to  offshore 
production  facilities.  This  is  a 
natural  outgrowth  of  the  research 
and  development  activities  fundea 
by  major  oil  companies. 


I  could  use  any  one  of  a  number  of  API  recommended  practices  as  examples,  but  I 
selected  API  RP  14C  because  it  is  considered  highly  successful  in  controlling 
production  facility  risk.     For  those  unfamiliar  with  14C,  it  is  the  Recommended 


35 


Practice  for  Analysis,  Design,  Installation  and  Testing  of  Basic  Surface  Safety 
Systems  for  Offshore  Production  Platforms.  This  figure  is  taken  from  14C  showing 
recommended  safety  devices  for  a  pressure  vessel. 

In  a  paper  presented  at  the  Offshore  Development  Conference  in  1989,  it  was  shown 
that  no  fatality  or  even  reportable  incident  could  be  attributed  to  safety 
devices  that  meet  API  RP  14C  guidelines^,  first  published  in  1974. 

The  API  RP  14C  Safety  Analysis  Checklist  details  all  the  safety  devices  required 
to  protect  individual  process  components,  as  well  as  the  specific  component 
combinations  required  to  eliminate  devices.  Our  operating  people  like  this. 
They  also  appreciate  the  simplicity  and  the  thoroughness  of  the  14C  SAFE  charts 
that  document  the  design  in  a  straightforward  manner. 

There  are  instances  where  Chevron  standards  exceed  industry  design  codes.  Using 
14C  as  an  example,  we  require  all  outgoing  lines  to  have  shut— down  valves,  in 
addition  to  all  incoming  lines.  We  require  two  relief  devices  per  high  pressure 
vessel  rather  than  one.  Also,  we  believe  in  "blowing  down"  the  pressurized 
system  during  an  Emergency  Shut  Down. 

3.5  Inspection 

Even  with  well  designed 
structures,  it  pays  to  inspect. 
Before  inspections  were  required 
by  the  MMS ,  we  performed  routine 
inspections  on  our  platforms . 

We  operate  581  platform 
installations  and  621  caissons  in 
the  COM.  To  control  inspection, 
maintenance  and  repair 
activities,  we  developed  —  with 
the  help  of  an  outside  contractor 
—  Chevron's  Computer  Aided 
Inspection  Reporting  System 
(CAIRS).  This  system 

standardizes  inspection  reporting  for  all  structures,  links  inspection  data  to 
the  original  structure  design,  and  permits  computer  manipulation  of  inspection 
data^. 

3 . 6  Maintenance 

Inspection  occasionally  reveals  defects  such  as  that  shown  here.  This  was  a 
platform  acquired  from  another  company.  It  had  not  been  properly  maintained. 
An  in  depth  investigation  was  conducted  by  Chevron  Research  and  Technology 
Company,   in  conjunction  with  Chevron  Oil  Field  Research  Company. 


Managing  the  Ri 
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When  it  was  determined  that  no  information  was  available  regarding  the  buckling 
capacity  of  tubular  members  with  hole,  Chevron  conducted  90  experimental  small 
scale  tests  as  shown  here^.  Results  were  confirmed  by  detailed,  nonlinear  finite 
element  analyses. 

We  were  able  to  estimate  the  loss  in  member  strength  from  the  holes  and  dents 
found  during  inspection,  and  then  conduct  an  ultimate  strength  analysis  of  the 
platform  as  a  whole . 


Despite  significant  member  strength  loss,  the  holes  \  \ 

and  dents  had  minimal  effect  on  overall  platform  1 
strength.      This  was   due   to   the   location  of  the 

damaged  members  on  the  structure,  and  to  the  i 
redundancy  present  in  the  design^.  i 

3 . 7  Summary 

So  what  have  we  learned  about  managing  risk?  First,  human  error  is  of  greatest 
importance.  Training  and  active  management  support  can  significantly  reduce  this 
risk.  Second,  API's  approach,  based  on  industry  participation,  has  been 
remarkably  successful  in  developing  safe,  cost  effective  design  practices.  And 
third,  learn  from  the  past.  Examine  your  performance  and  find  ways  to  improve 
it. 


4.     Future  Directions 

Where  are  we  headed  regarding  risk  management  in  U.S.  waters?  Certainly  we  will 
continue  with  the  proven,  traditional  techniques  I  discussed  earlier. 


This  slide  shows  which  members  would  be  most  highly 
loaded  and  which  ones  would  buckle  when  the 
platform  reaches  its  ultimate  capacity.  Typically, 
this  capacity  is  about  1.5  to  2.5  times  greater 
than  the  loads  associated  with  the  100  year  storm. 


m 
m 
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Further  activity  will  probably  stem 
from  the  present  focus  on  quality. 
Like  many  other  companies,  Chevron  has 
been  actively  developing  and  applying 
quality  improvement  strategies  and 
tools.  For  example,  we  used  this 
approach  as  part  of  our  Oil  Spill  Task 
Force  effort. 


Future  Directions 


■  Quality  Improvement  Strategies 

■  Formalized  Risk  Management 


Comparative  Risk  Studies 


Formalized  risk  management  procedures 
will  be  applied  and  evaluated,  such  as  those  outlined  in  API  RP  750.  Hazard  and 
Operability  studies  (HAZOP)  will  be  conducted.  Quantitative  risk  assessments 
will  likely  increase. 


Comparative  risk  assessments  will  be  conducted  to  evaluate  alternative  concepts 
and  systems  for  deep-water  development. 


There  is  one  more  thing  that  we  can  say  about  the  future  effective  management  of 
risk,  and  it  is  the  main  point  I  hope  you  take  away  with  you. 

The  advanced  technology,  the  probabilistic  risk 
assessments,  the  well  planned  contingency 
operations  —  all  these  depend  upon  people  to  make 
them  effective.  It  is  through  our  people  that  we 
will  attain  our  goal  of  safe  and  pollution  free 
operations .  Experience  has  shown  that  when  we 
motivate,  train,  equip,  and  empower  our  people, 
they  will  respond  to  the  challenges  facing  them. 
And  they  will  succeed. 
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ABSTRACT 

During  the  last  25  years,  structural  reliability  methods  have  found  increasing 
applications  in  the  design  and  re-qualification  of  offshore  platforms.  Recent 
experience  with  development  of  platform  environmental  loading  and  capacity 
characterizations  and  definition  of  reliability  targets  are  discussed  in  this 
paper  in  the  context  of  design  and  re-qualification  of  offshore  platforms. 
Reliability  based  design  criteria  developments  include  specified  reserve  strength 
analyses  of  the  intact  and  damaged  structure;  these  analyses  are  intended  to 
demonstrate  that  the  structure  has  adequate  capacity,  ductility,  reserve 
strength,  and  damage  tolerance.  Reliability  based  re-qualification  criteria 
developments  include  definition  of  guidelines  to  assist  judgements  of  platform 
suitability  for  service.  It  is  concluded  that  the  insights  that  can  be  provided 
by  experienced  applications  of  structural  reliability  methods  can  help  improve 
judgements  concerning  design  and  re-qualification  of  offshore  platforms. 
Additional  education,  experience,  and  development  of  reliability  applications 
guidelines  are  needed  to  allow  increased  realization  of  the  potentials  of  this 
technology. 

1 .  Introduction 

It  has  been  five  years  since  the  last  International  Workshop  on  Application  of 
Risk  Analysis  to  Offshore  Oil  and  Gas  Operations  was  held  (Yokel,  Simiu  1985). 
At  that  time,  the  American  Petroleum  Institute  (API)  was  well  along  with  its 
efforts  to  develop  a  reliability  based  Load  and  Resistance  Factor  Design  (LRFD) 
format  guideline  for  design  of  offshore  platforms.  The  Norwegian  Petroleum 
Directorate  (NPD)  had  initiated  its  efforts  to  implement  such  a  format  in  design 
of  structures  for  Norwegian  waters  and  the  NPD  was  advocating  the  use  of  risk 
analysis  techniques  to  perform  full-scope,  life-cycle  evaluations  of  proposed 
offshore  structures. 

The  workshop  explored  applications  of  reliability  methods  to  a  wide  variety  of 
segments  concerned  with  offshore  platforms  including  drilling  and  production 
operations,  design,  concept  development,  and  construction.  In  general,  the 
workshop  seemed  to  conclude  that  the  technology  was  still  very  immature.  There 
was  a  general  fear  that  risk  analysis  techniques  could  be  used  to  the  detriment 
of  the  objective  of  obtaining  and  maintaining  reliability  in  offshore  platforms 
and  their  operations. 

How  much  further  have  we  come  in  the  last  five  years?  The  API  has  issued  the 
first  draft  LRFD  guidelines.     The  NPD  has  issued  substantial  revisions  to  its 
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guidelines.  The  United  Kingdom  (U.K.)  has  undertaken  development  of  LRFD 
guidelines  similar  to  those  of  API.  The  Canadian  Standards  Association  (CSA)  has 
issued  draft  Limit  State  Design  (LSD)  guidelines  that  contain  specific  target 
reliabilities  for  different  classes  of  structures.  Development  of  a  worldwide 
design  code  for  offshore  platforms  is  under  discussion.  Full-scope,  life-cycle 
applications  of  risk  analyses  recently  have  found  exploratory  applications  in 
studies  of  innovative  structures  for  U.S.  waters. 

Reliability  technology  has  seen  substantial  developments  during  this  same  time 
period.  There  have  been  major  improvements  in  reliability  methods  for  evaluation 
of  structural  systems,  for  evaluation  of  environmental  loadings,  and  for 
definitions  of  inspections  and  maintenance  strategies.  Software  has  been 
developed  and  implemented  that  helps  relieve  analysts  of  much  of  the  drudgery  of 
reliability  calculations. 

To  illustrate  application  of  some  of  the  progress  that  has  been  made,  the 
remainder  of  this  paper  will  be  devoted  to  two  applications  of  structural 
reliability  methods.  The  first  is  development  of  structural  design  criteria  for 
a  major  production,  drilling,  and  quarters  (PDQ)  platform  located  on  the 
Northwest  Shelf  of  Australia.  The  second  is  development  of  re— qualification 
criteria  for  an  existing  production  and  drilling  (PD)  platform  in  the  Gulf  of 
Mexico.  ■ 


2.     Design  Criteria 
2 . 1  Background 

The  example  that  will  be  discussed  in  this  section  is  development  of  structural 
design  criteria  for  a  PDQ  platform  to  be  located  on  the  Northwest  Shelf  of 
Australia.  The  platform  will  be  a  conventional,  steel,  8-leg,  template-type, 
pile  supported  platform  sited  in  a  water  depth  of  135  m  (443  ft)  [Fig.  1]  .  This 
is  an  area  that  is  frequented  by  intense  tropical  cyclones;  approximately  five 
such  storms  pass  in  the  vicinity  of  the  platform  each  year. 

The  platform  owner  and  operator  specified  that  the  basic  structural  design  should 
be  performed  according  to  the  working  stress  design  (WSD)  format  contained  in  the 
current  American  Petroleum  Institute  (API)  Guidelines  [API  RP  2A]  (American 
Petroleum  Institute  1989). 

The  platform  owner  and  operator  also  specified  that  the  platform  was  to  remain 
in  operation  during  tropical  cyclones.  Thus,  the  platform  would  not  be  de-manned 
in  advance  of  intense  storms. 

In  the  context  of  the  proposed  structure  configuration  and  operation,  the  design 
criteria  were  to  address  four  key  issues: 

1)  The  required  reserve  strength,  ductility,   and  residual  strength, 

2)  The  design  wave  height  and  period  (current  and  wind)  and  force 
formulation  to  be  used  in  conjunction  with  the  API  based  WSD  design 
process , 
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3)  Definition  of  the  elevations  of  the  lower  production  decks,  and 

4)  Definition  of  a  design  approach  to  assure  adequate  damage  tolerance  in 
the  substructure. 

2  .  2        Long-Term  Wave  Environment 

An  extensive  investigation  of  the  oceanographic  environment  had  been  conducted 
by  the  platform  operator.  This  included  five  years  of  measurements  of  tropical 
cyclone  winds,  waves,  and  currents,  development  and  verification  of  a 
sophisticated  storm  hindcasting  model,  and  the  use  of  this  model  to  define  and 
evaluate  the  expected  annual  maximum  winds,  waves,  and  currents  expected  at  the 
platform  location. 

This  work  indicated  a  100-year  expected  annual  maximum  wave  height,  H^,  of  20  m 
(65.6  ft)  [Fig.  2].  This  wave  was  associated  with  a  period  of  12  s  [steepness 
of  1/12].  A  directional  spreading  (cos  ^^9  )  exponent  s  =  1  [range  s  =  0.5  to 
s  =  2]  was  estimated  for  the  extreme  wave  conditions. 

The  current,  Uc ,  associated  with  the  time  and  direction  of  occurrence  of  the 
100-year  Hj^  was  estimated  to  be  1.2  m/s  (3.9  fps)  at  the  surface  and  0.8  m/s  (2.6 
fps)  at  the  sea  floor.  The  wind  speed  [1  min]  at  an  elevation  of  50  m  (164  ft) 
was  estimated  to  be  75  m/s  (168  mph) . 

The  expected  annual  maximum  wave  heights  and  current  speeds  were  well 
characterized  with  lognormal  distributions  [Fig.2]  .  The  probability  distribution 
of  the  logarithms  of  the  expected  annual  H^,  has  a  standard  deviation,  s^  =  0.27. 
The  median  expected  annual  maximum  wave  height,  H  is  10,5  m  (34.4  ft). 

2.3        Global  Storm  Forces 

Analyses  of  hydrodynamic  forces  developed  on  the  platform  by  various  combinations 
of  wave  heights,  periods,  and  forces  indicated  that  the  global  forces  (base 
shear,  overturning  moment)  varied  approximately  with  the  square  of  the  wave 
height.  Thus: 

Sh,  =  Kd  Ku  (1) 

where  Kd  is  a  force  constant  that  embodies  the  hydrodynamic  force  coefficient 
(drag  force  dominated),  the  water  density,  and  the  projected  area  properties  of 
the  structure;  and  Ku  is  a  constant  that  embodies  the  procedure  used  to  calculate 
the  wave  and  current  kinematics  and  their  integration  over  the  structure  (Bea 
1990a) . 

The  forces  were  computed  using  traditional  long-crested,  unidirectional  waves 
that  had  a  steepness  of  1/12,  current  speeds  consistent  with  the  occurrence  of 
the  maximum  wave  height,  and  the  Morison  force  formulation  with  a  drag  coef- 
ficient,  Cd  =  0.7  and  inertia  coefficient  =  2.0. 

The  100-year  cyclone  conditions  produced  a  maximum  total  lateral  force  of  84  MN 
(18,900  kips),  and  an  overturning  moment  at  the  sea  floor  of  9,546  MN-m  (7.0  x 
10^  ft-kips) .  The  currents  accounted  for  25  to  30  percent  of  the  total  maximum 
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forces .  The  wind  forces  accounted  for  10  to  15  percent  of  the  total  maximum 
forces. 

The  maximum  lateral  forces,  Sn,,  defined  as  a  function  of  H„,  and  the  probability 
distribution  of  annual  H^,  were  used  to  define  the  probability  distribution  of  the 
expected  annual  maximum  total  lateral  force  acting  on  the  proposed  platform.  The 
probability  distribution  of  the  logs  of  the  annual  S^,  had  a  standard  deviation, 
^Sm  =0-56  and  coefficient  of  variation,  Vsn,  =  61  percent.  This  figure  reflects 
only  inherent  variability  [Type  I,  natural  randomness]  in  the  expected  annual 
maximum  wave  heights.  Modeling  uncertainties  [Type  II]  associated  with  the 
prediction  of  the  expected  annual  maximum  storm  conditions  and  with  the 
prediction  of  forces  were  also  assessed  and  integrated  with  the  Type  I 
uncertainties. 

2.4  Wave  Height  Uncertainties 

The  evaluation  of  Type  II  uncertainties  in  the  predicted  storm  conditions  was 
developed  by  comparing  hindcast  and  measured  conditions  in  severe  tropical 
cyclones  (Bea  1990a) .  In  the  case  of  the  comparisons  of  hindcast  and  measured 
maximum  wave  heights,  the  data  indicated  a  median  bias  (measured/predicted)  of 
BiiHm  =  1.0  and  a  VnHm  =  0.10. 

2 . 5  Wave  and  Current  Force  Uncertainties 

Turning  to  the  hydrodynamic  forces,  there  are  two  paths  that  could  be  followed 
to  evaluate  uncertainties  (Bea  1990a)  .  One  would  be  to  evaluate  each  of  the  com- 
ponents contributing  to  forces  uncertainties;  kinematics  and  force  calculations, 
conditional  on  specification  of  the  cyclone  waves  and  currents. 

A  second  approach  would  be  to  use  measured  global  wave  force  data  measured  on 
prototype  platforms  in  tropical  cyclones,  avoiding  the  explicit  evaluation  of 
kinematics  uncertainties.  The  second  approach  will  be  discussed  here.  Both 
approaches  produced  very  similar  results  (Bea  1990a) . 

The  evaluation  of  wave  and  current  force  uncertainties  was  based  on  wind,  wave, 
and  current  force  measurements  from  the  Conoco  Test  Structure  (Bea,  Pawsey , Litton 
1991).  The  data  (Block  6,  characteristic  of  the  wave  conditions  close  to  the 
center  of  tropical  cyclones)  indicated  a  median  bias  Bjjpn,  =  0.83  (Cd  =  0.7)  and 
^iiFm  =0.34  [Fig.  3] .  The  uncertainty  associated  with  calculation  of  the  hydro- 
dynamic  forces  is  ap  =0.32.  The  resultant  Type  I  and  Type  II  uncertainty  in 
the  forces  was  estimated  as  as  =  0.66. 

Due  principally  to  the  lack  of  recognition  of  directional  spreading  in  the  cal- 
culation of  wave  kinematics  (and  other  errors  in  the  force  calculation  process) 
a  conservative  "bias"  is  introduced  into  the  wave  forces.  In  the  criteria 
development,  this  bias  was  eliminated  through  the  introduction  of  a  directional 
spreading  factor  [e  =  0.9]  to  correct  the  long-crested  wave  kinematics  (Bea, 
Pawsey,  Litton  1991). 
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2.6 


Structure  Capacity  Characteristics 


The  platform  owner  specified  that  the  structural  elements  that  comprised  the 
platform  would  be  designed  according  to  API  RP  2A  WSD  guidelines.  These 
guidelines  address  how  the  elements  of  the  structure  should  be  proportioned,  but 
not  how  the  assembled  elements  or  structure  system  should  perform.  For  this  cri- 
teria development,  the  performance  of  the  platform  structure  system  was  specified 
with  the  Reserve  Strength  Ratio  (RSR)  (Lloyd,  Clawson  1983;  Titus,  Banon  1988; 
Bea  1990b) .  The  RSR  is  the  ratio  of  the  ultimate  lateral  capacity  of  the 
platform  structure  system,  Ru,   to  the  design  lateral  loading,   Sq  [Fig.  4], 

The  design  criteria  specified  that  after  the  primary  design  analyses  were 
complete,  the  structure  system  should  be  analyzed  using  nonlinear,  static 
push-over  analyses.  Based  on  the  results  of  these  analyses,  the  structure  was  to 
be  capable  of  developing  minimum  nominal  RSRs  =2.0. 

The  bias  associated  with  the  static  push-over  analysis,  Bas ,  was  estimated  as  the 
product  of  a  ductility  factor,  Fj/ ,  and  a  structural  analysis  bias,  Bss  [RSR  = 
RSRs  X  Bas;  Bas  =  Fi/  x  Bss].  The  ductility  factor  is  a  function  of  the  type  of 
loading,  the  displacement  capacity  of  the  structure,  and  the  residual  strength 
capacity  of  the  structure  [Fig.  4] . 

The  displacement  capacity  of  the  structure  was  expressed  as  the  ductility  ratio, 
fj, ,  of  the  maximum  lateral  displacement  at  which  the  structure  could  retain  its 
equilibrium,  Ap ,  to  the  displacement  at  which  the  structure  first  exhibited 
significant  inelastic  behavior,  Ae  [n  =  Ap/Ae] .  The  residual  strength  was  ex- 
pressed as  the  ratio,  a,  of  the  residual  capacity,  Rr,  at  a  displacement  of  Ap 
to  the  maximum  lateral  capacity,  Ru  [a  =  Rr/Ru] .  The  design  criteria  specified 
that  the  platform  should  be  capable  of  developing  a  minimum  ductility  of  /i  =  3.0 
and  a  residual  strength  ratio  of  a  =  1.0  (Bea  1990b). 

Study  of  wave  loadings  acting  on  simplified  nonlinear  systems  [Fig.  5]  indicated 
that  the  ductility  factor  was  governed  primarily  by  the  ratio  of  the  duration  of 
the  peak  wave  loading  on  the  platform,  td,  [approximately  half  the  wave  period] 
to  the  natural  period  of  the  platform,  Tn.  For  this  structure  this  ratio  was 
approximately  2.0;   thus,  7u  =  1.25. 

Mill  tests  on  the  steels  proposed  for  use  in  the  construction  of  the  platform 
indicated  a  Type  I  bias  in  the  steel  strength  ( true/nominal)  of  Bssj  =  1.1. 
Evaluation  of  the  analytical  models  that  would  be  used  to  evaluate  the  ultimate 
capacity  of  the  platform  braces  that  governed  lateral  capacity  indicated  a  Type 
II  bias  of  Bssjj    =  1.1.  The  resultant  bias  was  estimated  as  Bas  =  1.5. 

The  platform  capacity  probability  distribution  was  assumed  to  be  lognormal. 
Evaluations  of  the  Type  I  and  Type  II  uncertainties  associated  with  the 
evaluations  of  the  platform  capacity  characteristics  were  found  to  be  a^j  =0.10 
and  aRii  =  0.10.     Thus,        =  0.14. 

The  resultant  uncertainties  in  the  logarithms  of  the  maximum  loadings  and 
capacities  were  estimated  as  follows: 

=  +  -  1  {ps-sPs^K  )  (2) 
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where  psR  correlation  coefficient  of  the  resistance  and  loading  variables, 

S  and  R.  It  is  generally  assumed  that  there  is  no  correlation  between  the 
capacity  and  the  loading  PsR  =0.0.  In  some  cases,  (e.g.  high  levels  of  cyclic 
loadings  acting  on  brace  and  foundation  elements)  the  capacity  is  inversely 
proportional  to  the  intensity  of  the  loading  [psr  ~  ~1]  •  In  these  cases, 
correlation  of  the  loading  and  capacity  can  have  important  ramifications  in  the 
characterization  of  reliability. 

For  this  development,  the  loading  and  capacity  were  assumed  to  be  uncorrelated 
[PsR  =  0.0],  and  the  resultant  standard  deviation  of  the  logarithms  of  the 
loading  and  capacity  computed  as  a  =  0.67.  It  is  noteworthy  that  the  uncertainty 
in  the  maximum  loadings  dominates  the  resultant  uncertainty. 

2.7        Required  Reliability  , 

The  acceptable  (tolerable,  desirable)  or  target  reliability  for  the  structure  was 
evaluated  using  two  approaches  (Bea  1990b;  Bea  1991).  The  first  approach  is 
termed  the  "historical"  approach.  It  is  based  on  statistics  of  the  performance 
characteristics  of  a  wide  variety  of  engineered  structures,  including  offshore 
platforms  comparable  with  this  structure.  The  premise  of  this  approach  is  that 
over  time  and  with  experience,  the  industry  and  the  societies  that  it  serves  have 
determined  "acceptable"  and  "marginal"  balances  between  the  likelihoods  of 
failure,   Pf,   and  the  consequences  of  the  failures,   C  [Fig.  6]. 

The  two  lines  labeled  "acceptable"  and  "marginal"  [Fig.  6]  can  be  expressed 
analytically  as  follows: 


The  total  costs  of  failure,  CF,  are  expressed  in  millions  of  1990  U.S.  dollars. 
Note  that  an  alternative  measure  of  the  costs  of  failure  are  the  average  number 
of  fatalities  associated  with  the  failures. 

The  second  approach  is  termed  the  "expected  cost  minimization"  approach.  This 
approach  is  based  on  an  evaluation  of  the  expected  initial  and  future  costs 
associated  with  the  platform  structure  performance.  The  premise  of  this  approach 
is  a  minimization  of  the  total  expected  costs  (initial  and  future)  associated 
with  alternative  platform  design  characteristics. 

Initial  costs  include  all  first  costs  for  the  development  alternative.  Future 
costs  include  all  costs  associated  with  operation  and  maintenance,  and  in 
particular  the  risk  costs.  The  risk  costs  are  the  costs  associated  with 
productivity  (expected  losses  due  to  deferred  production) ,  property  (expected 
salvage  and  replacement  costs),  environmental  damage  (pollution  abatement, 
clean-up,  and  restoration),  costs  associated  with  injuries  and  fatalities,  and 
costs  associated  with  the  resource  development  (lost  production  costs). 

Given  that  the  costs  associated  with  a  development  alternative  can  be  reasonably 
related  linearly  to  the  logarithm  of  the  likelihood  of  failure,  Pf,  [Fig  7]  then 
it  can  be  shown  that  the  probability  of  failure  associated  with  the  minimum  total 


Pf  (acceptable)  =  10-^°-^^  +  i-^^) 


(3) 


Pf  (marginal)  =  10-<°-^       cf  +  0.95) 


(4) 


46 


cost  is  (Bea  1991) : 


Pfo  =  0.435/[Rc  f] 


(5) 


where  Rc  is  a  cost  ratio.  The  cost  ratio  is  the  ratio  of  the  expected  cost  of 
the  platform  loss  of  serviceability  ("Cost  of  Failure",  CF)  to  the  cost  needed 
to  decrease  the  annual  likelihood  of  the  platform  loss  of  serviceability  by  a 
factor  of  10.  In  the  case  of  future  costs,  the  potential  future  risk  costs  need 
to  be  discounted  to  present  values  with  a  present  value  discounting  function,  f . 
In  the  case  of  a  continuous  replacement  based  operation  that  has  an  exposure  pe- 
riod, L,  and  a  net  discount  rate,  r,  f  can  be  expressed  as: 


For  long  life  structures  and  continuous  replacement  of  failed  structures  f  =  1/r. 

For  the  cases  of  non-replacement  of  the  structure  after  failure,  and  deferred 
revenues  considerations,  more  complex  present  value  discount  functions  need  to 
be  considered  (Stahl  1986). 

The  value  of  Pf  determined  on  the  basis  of  the  foregoing  approaches  refers  to  the 
reliability  associated  with  all  aspects  of  the  operations.  Experience  with 
permanent,  bottom-supported  drilling  and  production  platforms  indicates  that  70 
to  80  percent  of  accidents  that  develop  "failure"  [significant  damage  or  losses 
of  serviceablity ]  in  these  structures  are  due  to  causes  other  than  the  structure 
and  the  environment  (e.g.  fires,  explosions,  blowouts,  collisions,  etc.)  [Fig  8] 
(Bea  1991).     This  can  be  expressed  as: 


where  Pf  is  the  total  probability  of  failure,  Pfs  is  the  probability  of  failure 
associated  with  the  structure  and  Pfo  is  the  probability  of  failure  due  to  opera- 
tional hazards.  Thus: 


Consideration  of  the  operations  for  the  proposed  platform  (no  oil  production,  gas 
production  transported  directly  to  shore  based  facilities)  indicated  that 
operating  hazards  could  be  assumed  to  contribute  60  to  70  percent  of  the  total 
likelihood  of  failure.     Thus,   Pfs  =  0.3  Pf. 

Evaluation  of  the  total  costs  associated  with  failure  of  the  platform  indicated 
CF  =  $500  million.  Substitution  of  this  value  into  Eq.  3  gives  Pf  =  7.6  x  lO"'' 
per  year.  Allocating  30  percent  of  Pf  to  the  tropical  cyclone  hazard  would 
indicate  Pfs  =  2.3  x  10"^  per  year.  In  the  case  of  operations  based  on 
evacuation  of  personnel  in  advance  of  severe  tropical  cyclones,  CF  is  estimated 
as  $300  million.  Again  substituting  this  value  into  Eq.  3  gives  Pf  =  1.1  x  10""^ 
per  year;   thus,  Pfs  =  3.3  x  10"^  per  year. 

Evaluating  the  platform  using  the  cost  minimization  approach,  and  based  on  CF  = 
$500  millions,  f  =  10 ,  and  Rc  =  50,  gives  Pf  =  8.7  x  10"''  per  year.  Allocating 
30  percent  of  Pf  to  the  storm  hazard  gives  Pfs  =  2.6  x  10"''  per  year.  In  the  case 


f  =     [1  -  (1  +  r)"L]/r 


(6) 


Pf  =  Pfs  +  Pfo 


(7) 


Pfs  =  Pf  [  1  -  Pfo/Pf] 


(8) 
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of  operations  based  on  evacuation  of  personnel  in  advance  of  severe  tropical 
cyclones,  Rc  =  30 ,   Pf  =  1.4  x  10"'^  per  year,  and  Pfs  =  4.2  x  10"''  per  year 

Thus,  the  range  of  Pfs  indicated  by  the  historical  and  cost  minimization 
approaches  is  from  2.3  to  2.6  x  10"''  per  year  for  manned  operations  and  from  1.1 
X  10""'  to  4.3  X  lO"''  per  year  for  unmanned  operations. 

These  values  are  in  good  agreement  with  those  developed  in  studies  of  comparable 
platform  operations  in  the  North  Sea  [manned]  (Offshore  Certification  Bureau 
1988),  and  in  the  Gulf  of  Mexico  (evacuated  in  advance  of  hurricanes)  (Bea  1990). 

These  Pfs  are  equivalent  to  structural  Safety  Indices  of  ^  =  3.6  for  manned 
operations  and  /3  =  3.3  for  unmanned  operations  [Pf  ~  10"^;  Pf  -  0.475  exp(-/3-'-"^) , 
1<^<3]. 

2.8  Design  Wave  Height 

Given  lognormally  distributed  expected  annual  maximuim  tropical  cyclone  loadings 
(S)  and  platform  capacities  (R)  ,   the  Safety  Index,  /3,   is  computed  as  follows: 

=     [ln(R/S)/(aR2  +  as^)^  =  ln(R/S)/a]  (9) 

where  R  and  S^  are  the  median  ( 50-percentile)  ultimate  capacity  and  expected 
annual  maximum  loadings,   respectively.  and  as    are  the  standard  deviations 

of  the  logarithms  of  the  platform  capacity  and  expected  annual  maximum  loadings, 
respectively. 

Given  the  foregoing  developments,  the  design  wave  height  for  the  WSD  design  can 
be  expressed  as: 

Hd  =  (HVRSR)[exp  (y9a)]^  •  (10) 

Thus : 

Hd  =  [(10. 52  mV3)  exp(3.6  x  0.67)]°-5  =    20  meters  -  (11) 

This  design  wave  height  would  have  an  average  return  period  of  100  years  [Fig. 
2].  The  wind  speed  and  current  speed  conditional  on  the  time  and  direction  of 
occurrence  of  the  100-year  return  period  wave  height  would  be  used  in  the  design 
criteria  formulation.  The  design  wave  height  would  be  assumed  to  have  a  height 
to  length  ratio  of  1/12  [range  1/10  to  1/13]. 

2.9  Design  Deck  Elevation 

The  design  deck  elevation  was  determined  based  on  the  elevation  required  to  clear 
the  forceful  portion  of  the  crest  of  the  expected  annual  maximum  wave  that  would 
bring  the  platform  to  its  ultimate  limit  state  [RSR  =  1.0].  Allowing  for 
subsidence,  water  depth  tolerance,  storm  and  astronomical  tides,  the  deck 
clearance  elevation  [above  mean  sea  level],  Ep,  was  based  on  the  following 
relationship : 

Ed  =  0.6  [(H2  exp(/3a)]^  (12) 
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Thus : 


Ed  =  0.6  [10. 52  exp(3.6  x  0.67)]  0.5  =  +21  m  =  +70  ft  (13) 

The  expected  annual  maximum  wave  height  associated  with  this  crest  elevation  had 
an  average  return  period  in  excess  of  10,000  years  [Fig.  2]. 

2.10  Design  RSR  For  Damaged  Conditions 

The  design  nominal  RSRs  for  platform  damaged  conditions  was  based  on  the  strength 
of  the  platform  that  would  implicate  de-manned  platform  operations.  The  nominal 
RSRs  was  estimated  from: 

RSRs  =  [HV(Bas  x  Hp^)]  exp(;3a)  ,  (14) 

Thus:  •• 

RSRs  =  [10.52/1.5  x  202)]     e,^p  (3  5  ^  o.67)  =      1.6  (15) 

2.11  Intact  Push-Over  Analyses 

Following  completion  of  the  WSD  API  RP  2A  based  design  of  the  platform  structure, 
the  structure  was  subjected  to  a  series  of  static,  nonlinear  push-over  analyses 
to  demonstrate  that  it  possessed  adequate  reserve  strength,  ductility,  and 
residual  strength  (Piermattei,  Ronalds,   Stock  1990). 

The  analyses  indicated  that  modifications  to  the  primary  diagonal  braces  and 
joints  (added  approximately  1,000  tonnes  of  steel)  were  required.  In  addition, 
the  design  f actors-of-saf ety  used  to  define  the  axial  capacity  of  the  clustered 
corner  piles  for  storm  and  operational  loadings  were  increased  to  3.0.  In 
addition,  spare  pile  sleeves  were  included  at  the  corners  to  allow  the  foundation 
capacity  to  be  supplemented  if  pile  installation  difficulties  were  encountered. 
With  these  modifications,  the  structure  was  able  to  demonstrate  acceptable 
performance  characteristics  [Fig.  9] . 

2.12  Design  Damage  Conditions 

One  of  the  primary  objectives  of  this  part  of  the  design  criteria  was  to  develop 
a  structure  that  would  possess  sufficient  robustness  or  tolerance  to  damage.  The 
design  for  damage  was  based  on  damage  experience  with  similar  platforms  and  for 
the  proposed  operations  of  this  specific  platform. 

Of  importance  in  this  regard,  was  the  decision  by  the  platform  owner  not  to  allow 
supply  boat  operations  in  the  vicinity  of  the  platform  during  severe  weather 
conditions.  Special  stand-off,  tie-up  buoys  and  deck  cranes  with  sufficiently 
long  booms  and  capacity  were  provided  to  allow  remote  boat  resupply  operations. 
Mooring  and  boat  operations  in  the  vicinity  of  the  platform  were  restricted  to 
specified  maximum  sea  conditions.  These  sea  conditions  became  the  basis  for 
evaluation  of  boat  inflicted  damage. 
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The  damage  conditions  were  based  on  definition  of  the  high  probability  damage  and 
consequence  (to  strength)  members  (e.  g.  legs,  diagonal  braces)  [Fig. 10].  The 
high  consequence  members  were  identified  based  on  the  results  of  the  intact 
structure  analyses.  Missing  member  analyses  were  performed  involving  diagonal 
and  horizontal  braces.  Six  damage  scenarios  were  defined  based  on  dropped 
objects.  Boat  collisions  with  the  corner  and  interior  legs  were  also 
investigated.  Damage  inflicted  by  the  collisions  and  dropped  objects  was 
evaluated  and  the  member  properties  adjusted  to  reflect  the  extent  of  damage. 

The  study  identified  the  need  to  add  additional  steel  in  the  areas  of  some 
damaged  members.  Approximately  120  tonnes  of  steel  had  to  be  added  to  the  jacket 
to  allow  the  structure  to  develop  RSRs  equal  to  1.6  [Fig.  10]  (Piermattei, 
Ronalds,   and  Stock  1990).  v 

2.13       Summary  '* 

Structural  reliability  methods  were  used  to  develop  advanced  design  criteria  for 
a  major  PDQ  platform,  all  within  the  context  of  traditional  WSD  methods.  The 
primary  design  analyses  of  the  structure  were  conducted  using  conventional 
methods  with  little  disruption  to  the  normal  design  process.  Reliability  methods 
were  used  to  define  the  basis  for  the  design  tropical  cyclone  forces,  and  for 
nonlinear  push— over  verification  analyses  intended  to  demonstrate  that  the 
platform  possessed  sufficient  reserve  strength,  ductility,  and  residual  strength 
in  its  intact  condition.  These  methods  were  extended  to  define  damage  conditions 
and  analyses  for  the  structure  to  assure  that  it  possessed  adequate  robustness 
or  damage  tolerance. 

3 .     Re— qualification  Criteria 
3 . 1  Background 

There  are  about  6,000  major  platforms  located  on  the  World's  Continental  Shelves. 
Approximately  3,000  of  these  are  located  in  the  Gulf  of  Mexico.  Many  of  these 
platforms  have  experienced  the  compounding  effects  of  aging  including  corrosion, 
degradation  of  joints  due  to  fatigue,  damage  due  to  collisions  and  dropped 
objects,  insufficient  maintenance ,  and,  technical  obsolescence  (early  generation 
design  criteria  and  construction  methods) .  Many  of  these  structures  are  being 
called  upon  for  extended  lives,  in  some  cases  of  the  order  of  twice  the  original 
design  life.  The  industry  is  developing  sophisticated  approaches  for  the 
re-qualification  of  these  structures  (Skarr,  et  al .  1991). 

This  section  will  deal  with  one  such  platform,  a  PD  platform  located  offshore  the 
Louisiana  coast  in  150  ft  (45.7  m)  of  water  (Bea,  Puskar,  Smith,  Spencer  1988). 
The  platform  is  a  5-leg,  fixed  drilling  platform  that  was  installed  in  1962  [Fig. 
11].  It  was  originally  designed  for  a  46  ft  (14  m)  25-year  return  period  wave 
height.  Nine  gas  wells  were  completed  on  the  platform.  It  is  unmanned.  Based 
on  present  production  estimates  and  profitability  guidelines,  the  platform  is 
proposed  for  a  10-year  remaining  life. 

Underwater  inspections  disclosed  a  wide  variety  of  structural  defects  and  damage 
[Fig.  11]  that  range  from  missing  diagonal  braces  to  cracked  joints. 
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The  basic  objective  of  this  work  is  to  find  a  combination  of  structural  and 
operational  measures  that  will  allow  re-qualification  of  the  structure  for 
another  10-years  life.  A  principal  objective  is  to  develop  structural  relia- 
bility based  re-qualification  criteria  to  determine  the  suitability  for  service 
of  this  structure  and  its  proposed  operations. 

3.2  Hurricane  Loadings 

Advanced  oceanographic  studies  were  conducted  to  identify  site  specific  hurricane 
wind,  wave,  and  current  conditions  [Fig.  12].  The  evaluations  indicate  that  the 
platform  has  experienced  several  hurricanes  that  have  developed  wave  heights 
close  to  the  design  wave  height.  One  of  the  storms  [Hurricane  Hilda  in  1964] 
developed  wave  heights  that  inundated  the  lower  decks.  This  same  storm  caused 
failures  of  some  13  other  platforms. 

Evaluations  of  the  forces  exerted  on  the  platform  were  based  on  the  guideline 
minimum  wave  force  approach  defined  in  API  RP  2A  [Section  2,3,4  g.  Forces.  Cd  = 
0.6].  The  total  maximum  lateral  hurricane  loading  as  a  function  of  the  return 
period  associated  with  the  predicted  expected  maximum  wave  heights  indicated  that 
waves  begin  to  impact  the  deck  at  wave  heights  having  average  return  periods  of 
approximately  35  years  [Fig.  13].  The  dramatic  increase  in  loadings  (vertical 
and  horizontal)  is  caused  by  the  combination  of  the  large  exposed  deck  areas  and 
the  high  water  particle  velocities  near  the  crest  of  the  wave. 

For  a  100-year  return  period  wave  height,  the  lateral  loading  based  on  the  API 
guideline  minimum  wave  force  approach  [with  deck  in  wave  crest]  indicates  a  load 
of  approximately  2,000  kips  (8.9  MN)  .  With  the  decks  raised,  the  100-year 
conditions  loading  is  reduced  to  approximately  1,200  kips  (5.3  MN) . 

3.3  Platform  Capacities 

Evaluations  of  the  platform  capacity  was  made  using  nonlinear,  static  push-over 
analyses  of  the  structure  and  foundation  system  [Fig.  14] .  The  structure  and 
foundation  element  capacity  characteristics  were  defined  appropriate  for  the 
early  design  characteristics  of  the  platform.  Because  there  are  no  joint 
reinforcing  cans  and  the  leg  —  pile  is  ungrouted,  punching  problems  at  the  joints 
often  controlled  the  brace  load  carrying  capacity;  thus,  the  brace  capacity  was 
modified  to  account  for  premature  punching  or  tearing  of  the  leg  joints.  The  ca- 
pacity of  the  damaged  elements  were  modeled  according  to  results  from  recently 
completed  laboratory  investigations. 

The  steel  used  in  the  platform  was  A36  with  a  nominal  yield  stress  of  36  ksi  (248 
MPa) .  Based  on  mill  certification  specifications  which  were  located  for  this 
platform,  the  nominal  value  was  increased  by  14  percent  to  account  for  the 
difference  between  the  mean  and  the  nominal  strength.  An  additional  10  percent 
increase  was  recognized  based  on  the  difference  between  the  low  rate  of  strain 
used  in  the  mill  tension  tests  as  compared  with  the  wave  loading  strain  rates. 

The  low  natural  period  of  this  platform  (Tn  =  0.5  s)  combined  with  the  duration 
of  the  peak  wave  loading  (td  =  5  to  6  s)  ,  indicated  very  small  ductility 
corrections  to  the  static  push-over  results  (Fi/  ~  1.0). 
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In  its  present  condition,  the  platform  indicated  an  expected  maximum  capacity  Ru 
=  1,000  kips  (4.4  MN) ,  and  a  RSR  =  1,000  kips/2,000  kips  =0.5. 

Three  alternatives  were  considered  for  rehabilitation  of  the  structure  [Fig.  14]  . 
These  included: 

a)  repairing    the    damage    and   returning    the   platform    to    the  as-designed 
condition; 

b)  repairing  the  damage  and  grouting  the  legs  to  the  piles  to  strengthen  the 
joints,  and 

c)  repairing  the  damage  and  raising  the  deck  15  feet  above  the  100-year 
expected  maximum  crest  elevation. 

The  RSR  was  evaluated  for  each  of  the  alternatives  [Fig.  14] .  The  RSR  ranged 
from  0.55  [repaired]  to  1.25  [repaired,  raised  decks]. 

3.4        Acceptable  RSR 

In  this  development,  it  will  be  assumed  that  for  communication  and  decision 
making  purposes  it  will  be  desirable  to  characterize  the  risks  associated  with 
a  particular  platform  into  three  general  categories:  Low  Consequences  (LC)  , 
Moderate  Consequences  (MC) ,  and  High  Consequences  (HC) ,  Such  general  qualitative 
categories  can  be  very  useful  in  public  and  regulatory  communications  of  risks, 
and  judgements  concerning  structure  suitability  for  service  [Skarr,  et  al .  1991] . 

A  LC  category  platform  would  be  one  that  would  pose  no  or  little  risks  to  the 
environment,  resource,  productivity,  life,  or  property.  For  example,  an 
unmanned,  well-jacket  (small  platform  that  supports  a  few  wells)  whose  wells  were 
equipped  with  reliable  down-hole  subsurface  safety  valves,  and  whose  risers  were 
equipped  with  emergency  shut-downs  and  back-flow  prevention  valves  could  be 
placed  in  this  general  category.  In  terms  of  cost-benefit  analyses,  the 
consequences  could  be  expressed  as  C  =  Rj,  x  f .  A  low  consequence  category  could 
be  assumed  to  have  C  =  1  to  10. 

An  HC  category  would  be  a  platform  that  would  pose  significant  or  major  risks. 
Platforms  that  supported  large  drilling  and  production  operations  and  that  were 
manned  with  a  large  number  of  personnel  could  be  placed  in  this  general  category. 
A  high  consequence  category  could  be  assumed  to  have  C  =  100  to  1,000. 

An  MC  category  would  be  a  platform  that  would  pose  risks  that  would  fall  in 
between  these  two  extremes.  Manned  platforms  that  were  evacuated  in  advance  of 
extreme  storms  could  be  placed  in  this  category.  An  MC  category  could  be  assumed 
to  have  C  =  10  to  100. 


Given  that  the  platform  demands  (loads)  and  capacities  are  modeled  with  lognormal 
distributions,  then  the  RSR  can  be  related  to  the  Safety  Index,  yS,  as  follows 
(Bea,  Puskar,  Smith,  Spencer  1988): 

RSR  =  Rp  exp(;0a)  (16) 
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where  Rp  is  the  ratio  of  the  median  expected  annual  maximum  force,  S,  to  the 
reference  level  design  force, S^.  When  is  defined  on  the  basis  of  the  100-year 
design  force, 


Rp  =  exp  (2.33as) 


(17) 


For  this  example,  and  based  on  the  results  developed  by  Bea  (1990)  and  Bea, 
Puskar,  Smith  and  Spencer  (1988),  -  0.75,  and  Rp  =  0.17.  The  uncertainty 
associated  with  the  platform  capacity  was  evaluated  to  be  ■=  0.25  [reflects 
additional  uncertainties  associated  with  damaged  and  repaired  conditions].  The 
resultant  uncertainty  in  capacity  and  loadings  is  a  =  0.79.  Both  Type  I  and  Type 
II  uncertainties  have  been  included  in  these  figures. 

While  the  assumed  total  uncertainty  might  be  appropriate  for  some  platforms  in 
the  Gulf  of  Mexico,  it  could  be  an  inappropriate  estimate  for  other  platforms. 
Data  gathering,  proof  loadings  by  previous  severe  environmental  events,  and  other 
similar  sources  of  experience  could  lead  to  reductions  in  the  uncertainties.  In 
addition,  there  may  be  different  loading  and  capacity  uncertainties  associated 
with  other  deep  and  shallow  water  locations  (e.g.  truncation  of  wave  heights  due 
to  wave  breaking  in  shallow  water) .  The  definition  of  the  appropriate  reserve 
strength  ratios  would  need  to  reflect  these  potential  effects  on  the  probability 
characterizations  (Aggarwal,  Bea,  Gerwick,  Ibbs,  Reimer,  Lee  1990). 

Based  on  an  expected  cost  minimization  analysis  [Fig.  7]  (Bea  1991),  an 
"acceptable"  Safety  Index  can  be  expressed  as: 


If  it  were  assumed  that  the  criterion  to  define  the  marginal  Pf  was  the  point  on 
the  expected  total  cost  of  failure  curve  where  a  slope  equal  to  that  of  the 
initial  cost  curve  was  developed  (investment  to  reduce  risk  =  reduction  in 
expected  total  costs),  then  the  "marginal"  Safety  Index  could  be  defined  as: 


For  the  purpose  of  this  development,  it  will  be  assumed  that  there  are  five  major 
safety  hazards  that  the  platform  must  confront:  fires,  explosions,  blowouts, 
collisions,  and  storms.  It  will  be  assumed  that  the  storms  will  be  allocated 
one-fifth  of  the  total  probability  of  failure  deemed  acceptable  and  marginal  for 
the  platform;   thus,  Pf  storms  =  0-2  Pf. 

Fig.  15  summarizes  the  results  for  the  cost  minimization  approach  to  define 
acceptable  and  marginal  combinations  of  consequences,  C  [C  =  Cf  x  f ] ,  and  RSR. 

Alternatively,  the  history  based  approach  for  determining  the  Safety  Index  could 
be  used  [Fig.  6].  It  is  important  to  note  that  the  experience  based  and  utility 
based  measures  of  consequences  are  not  the  same.  This  is  because  the  experience 
based  measure  is  expressed  directly  by  the  monetary  costs  associated  with 
failure,  CF,  while  the  utility  based  measure  reflects  not  only  the  monetary  costs 
associated  with  failure,  but  as  well,  the  costs  associated  with  improving  the 
reliability  of  the  structure,  and  the  present  value  discount  function. 


=  {-ln[0.915/(fR,)]} 


0.625 


;3(18) 


=  {-ln[1.83/(fR,)]) 


0.625 


(19) 
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Fig.  16  summarizes  the  results  for  the  experience  based  combinations  of 
consequences  and  RSR.  Comparisons  of  the  RSR  indicated  by  the  three  categories 
of  consequences  in  Fig.   15  and  Fig.  16  indicates  reasonable  agreement. 

3 .  5  Observations 

These  results  indicate  that  the  platform  will  not  qualify  in  its  present 
condition.  Further,  repair  of  the  platform  and  restoring  it  to  its  original 
as-designed  condition  will  not  qualify  the  structure.  Only  in  the  case  of 
repairing  the  platform  and  raising  the  decks  will  the  structure  qualify  for 
service . 

Given  that  a  particular  platform  repair  and  operations  program  would  not  meet  the 
minimum  RSR  indicated  by  the  utility  and  experienced  based  approaches,  a  variety 
of  options  should  be  investigated  including: 

a)  reducing  potential  consequences  (through  improved  controls  on  life, 
resource,  pollution,  and  property  losses), 

b)  increasing  the  platform  strength  (repairs  or  other  strengthening 
measures) , 

c)  decreasing  the  platform  reference  force  (removal  of  marine  growth, 
removal  of  unnecessary  appurtenances) , 

d)  decreasing  the  proportion  of  safety  that  must  be  allocated  to  non— storm 
related  hazards  (decreased  likelihoods  of  collisions,  blowouts,  fires, 
explosions) ,  and 

e)  decreasing  the  uncertainties  in  loadings  and  capacities  (implement  data 
and  information  gathering  programs  and  improved  analyses) . 

If  none  of  these  measures  are  effective  or  can  be  justified  economically,  then 
the  implication  is  that  the  structure  should  be  removed  from  service. 

4 .  Conclusions 

4.1        General  Observations 

During  the  last  thirty  plus  years,  engineers  have  been  developing  and  im- 
plementing structural  reliability  methods  in  design  and  re— qualification  of 
offshore  platforms.  Researchers  have  developed  an  imposing  storehouse  of 
reliability  technology. 

There  has  been  generally  good  experience  with  applications  of  structural 
reliability  methods  to  special  problems,  and  with  code  and  guideline 
developments.  It  has  taken  much  longer  to  develop  acceptance  by  the  prac- 
titioners than  it  has  taken  to  develop  the  basic  technology  and  background. 

In  the  main,  the  practicing  structural  engineers  (designers)  still  remain  largely 
insulated     from    reliability    technology.         Reliability    based    design  code 
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developments  have  developed  relatively  few  converts  to  the  theology  of  relia- 
bility. 

Why  is  this?  The  answers  are  varied.  Education  of  practicing  structural 
engineers  is  a  primary  hurdle.  As  well,  important  limitations  in  what  has  been 
developed  is  another  primary  problem. 

The  education  challenge  goes  in  several  directions.  First,  practicing  engineers 
need  to  learn  about  what  has  been  developed  and  how  it  can  help  them.  Second, 
researchers  need  to  learn  about  what  problems  need  to  be  solved  before  the 
technology  can  be  implemented  in  a  mature  way.  Third,  managers  need  to  learn  how 
to  understand  and  interpret  the  results,  and  participate  in  supplying  information 
that  facilitates  the  decision  making  processes  that  can  lead  to  applications  and 
support  for  high  priority  research  and  development. 

4.2  Limitations 

What  about  the  limitations?  We  seem  to  be  struggling  with  a  large  variety  of 
important  problems  such  as: 

a)  Defining  practical  approaches  and  processes  that  can  lead  to  characteri- 
zation and  definition  of  desirable,  acceptable,  or  tolerable  reliability 
of  structural  systems. 

b)  Defining,  characterizing,  and  analyzing  uncertainties  including  inherent 
randomness;  modeling,  measurement,  and  data  uncertainties,  and 
human— organizational  actions  uncertainties. 

c)  Defining  practical  methods  for  realistic  characterization  of  the  re- 
liability of  structural  systems  (assemblies  of  elements)  including  the 
effects  of  the  environment,  design,  construction,  and  operations  pro- 
cesses. 

d)  Defining  practical  methods  for  realistic  characterization  of  loadings  and 
demands  placed  on  structural  systems  including  those  from  construction 
and  operations. 

e)  Defining  methods,  analyses,  and  implementation  frameworks  to  assist  in 
the  management  of  the  organizational  and  human  error  aspects  that  play 
such  an  important  role  in  the  reliability  of  structural  systems. 

e)  Defining  effective  design  code  and  special  problem  structural  reliability 
analysis  formats  that  will  allow  information  sensitive,  full-scope, 
life— cycle  reliability  methods  to  be  implemented  in  design  of  new 
structural  systems,  and  re-qualification  and  rehabilitation  of  such 
systems. 

Perhaps  application  and  implementation  of  reliability  methods  have  been  slow 
because  the  technology  is  still  incomplete  in  some  very  important  details,  and 
suffers  from  many  significant  limitations.  Also,  perhaps  the  motivations  for  the 
practicing  engineer  to  learn  and  apply  the  technology  have  been  lacking  or  slow 
to  develop. 
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It  would  appear  that  we  still  have  a  long  way  to  go  before  we  can  claim  maturity 
in  applications.  The  research  and  engineering  communities  have  much  to  do  and 
learn. 

4.3  Prospects 

The  prospects  for  the  applications  of  structural  reliability  methods  in  design 
and  re-qualification  of  offshore  platforms  is  very  encouraging.  These  methods 
have  proven  to  be  a  valuable  asset  in  helping  address  unusual  problems  associated 
with  design  of  offshore  platforms  [Bea,  Moore,  Lee  1991]. 

The  direct  application  of  reliability  technology  in  the  general  structural  design 
process  seems  to  be  well  beyond  our  current  capabilities.  Design  for  explicit 
reliability  targets  or  resource  optimized  reliability  seems  to  be  in  the  very 
distant  future.  This  is  not  so  much  because  of  the  reliability  technology 
limitations,  but  because  of  more  basic  technology  and  political  limitations. 

Performing  realistic  ultimate  limit  state  analyses  of  complex  structural  systems 
severely  stretches  our  current  practice  capabilities.  Competent  and  workable 
analytical  models  for  the  behavior  of  new,  defective,  and  repaired  steel, 
concrete,  composite,  and  foundation  elements  need  development.  This  seems  to  be 
much  more  of  a  basic  mechanics  problem  than  a  reliability  problem. 

Performing  realistic  fatigue  analyses  of  complex  structural  systems  that  can 
realistically  reflect  ultimate  limit  state  and  serviceability  limit  state  effects 
is  still  farther  from  our  reach.  This  is  particularity  true  when  one  attempts 
to  recognize  potential  design,  construction,  and  operations  flaws,  complex 
environmental— operational  loadings,  dynamic  responses,  and  the  effects  of 
inspection,  maintenance,   and  repair  intervention  programs. 

But,  if  this  is  the  state  of  affairs,  why  all  of  the  optimism  about  prospects? 
Because  we  practicing  structural  engineers  badly  need  the  help  that  this 
technology  can  provide,  even  in  its  present  state  of  development. 

Our  problems  are  rapidly  becoming  more  complex.  We  have  accelerated  the 
development  of  innovative  structures  that  are  frequently  placed  in  very  hazardous 
or  sensitive  environments.  We  are  working  in  a  very  complex  mixture  of 
political-social-economic  environments.  The  engineer  is  being  forced  to  form  a 
partnership  between  nature  and  society. 

In  developed  areas,  we  are  faced  with  an  aging  infrastructure  that  we  can  not 
afford  to  throw  away  and  replace.  We  must  find  out  how  to  work  with  what  we 
have,   and  not  compromise  technical,  economics,  and  risks  standards. 

In  developing  areas,  we  are  faced  with  severe  economic,  environmental,  technical 
and  social-political  constraints.  Again,  we  must  find  out  how  to  work  with  what 
we  have  and  not  compromise  appropriate  standards. 

4.4  Challenges 

The  first  primary  challenge  is  education.  We  need  to  define  more  effective 
methods  of  transferring  research  into  practice.    We  need  to  relieve  the  engineer 
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of  the  burdens  of  complex  reliability  analyses,  and  have  him  focus  on  development 
of  high  quality  input  information,  and  performing  high  quality  evaluations  and 
applications.  At  this  time,  our  problem  is  not  so  much  one  of  developing  new 
technology  as  it  is  applying  the  existing  technology  in  a  meaningful  way. 

We  also  need  to  define  more  effective  methods  of  transferring  practice  problems 
back  to  research.  The  researcher  needs  to  become  more  sensitized  to  the  problems 
of  the  practitioner,  and  develop  practical  solutions  to  these  problems.  We  need 
to  provide  sufficient  support  for  researchers  to  address  these  problems. 

Lastly,  we  need  to  reach  managers  and  decision  makers  with  this  technology.  This 
technology  must  be  placed  in  the  contexts  of  their  problems,  organizations,  and 
means  of  making  decisions.  The  general  public  is  one  component  of  the  decision 
making  framework,  and  it  must  be  included  in  the  education  process. 

The  second  major  challenge  is  implementation.  We  need  to  further  develop  how 
reliability  methods  can  be  implemented  within  codes  and  guidelines,  addressing 
conventional  and  unconventional  structural  systems.  Definitive  guidelines  on  how 
to  perform  structural  reliability  analyses  are  badly  needed.  Reliability  based 
developments  need  to  provide  incentives  for  the  practicing  engineer  to  apply  the 
technology,  such  as  information  sensitive  formats. 

The  developments  need  to  be  founded  on  a  practical  and  yet  advanced  system  of 
analytical  capabilities  that  take  full  advantage  of  computers  and  communication 
systems.  The  developments  need  to  be  directed  toward  full-scope,  life-cycle 
reliability  management  of  structural  systems.  The  developments  need  to  address 
both  new  and  existing  structural  systems. 

The  third  primary  challenge  is  further  research  and  development  of  reliability 
technology  to  address  the  practical  problems  of  future  implementations.  We  need 
to  develop  methods  to  define  and  realistically  evaluate  uncertainties  in  demands 
developed  in  structural  systems  and  the  performance  of  these  systems. 

We  need  to  develop  methods  that  will  assist  in  engineering  the  management  of  the 
dominant  threat  to  the  reliability  of  structural  systems:  human  and  organization 
errors  (Pate-Cornell  1990,  Bea,  Moore  1991).  An  analytical  framework  needs  to 
be  developed  that  will  address  the  limitations,  flaws,  and  frailties  of  humans, 
organizations,  and  societies.  We  need  to  develop  methods  that  will  allow  us  to 
evaluate  practical  and  effective  means  of  designing  people  and  their  activities 
into  our  structural  systems,  just  as  we  design  steel,  concrete,  and  foundation 
elements.  These  methods  need  to  address  full-scope,  and  life-cycle  aspects  of 
structural  systems. 

Lastly,  we  need  to  further  develop  methods,  approaches,  and  guidelines  to  define 
desirable,  acceptable,  or  tolerable  reliability.  These  methods  need  to  address 
a  full  range  of  potential  impacts  including  human  injuries,  injuries  to  the 
environment,  resource  development,  property,  and  productivity.  Methods  need  to 
be  developed  to  assist  in  resolution  of  evaluation  conflicts. 

We  have  come  a  long  way  in  developing  and  implementing  reliability  methods  in 
engineering  structural  systems.  We  still  have  a  long  way  to  go  before  we  can 
realize  maturity  of  this  technology.    We  should  embrace  this  technology  if  we  are 
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to  dramatically  improve  the  consistency  and  quality  of  our  engineering.  It  is 
needed  to  allow  us  to  examine  a  broad  range  of  issues  and  consider  a  broad  range 
of  solutions  to  the  increasingly  difficult  problems  associated  with  maintaining 
our  existing  infrastructures  and  building  new  structures. 

This  technology  can  increase  our  creativity  in  solving  engineering  problems  in 
a  way  that  will  form  strong  partnerships  between  the  societies  we  serve  and  the 
environment  in  which  we  live. 
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FIG.  1   Eight  Legged  Production,  Drilling,  and  Quarters  Platform 
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FIG.  2  Expected  Maximum  Wave  Heights  Versus  Average  Return  Peri- 
ods at  the  Platform  Site,  Northwest  Shel^  Australia 
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FIG.  3  Uncertainty  and  Bias  in  Predicted  Total  Maximum  Hydrodynamic 
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FIG.  6  Historical  Relationship  of  Risks  and  Consequences  for  Engineered 
Structures 
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ability of  Loss  of  Serviceablity  of  the  Platform 
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FIG.  10  Critical,  Missing,  and  Revised  Members  Defined  As  A  Result  of 
the  Damaged  Structure  Analyses  (After  Piermattei,  et  aL  1990) 
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FIG.  1 1  Gulf  of  Mexico  Production  and  Drilling  Platform  to  be  Re^jualified 
For  Extended  Service 


< 


> 
< 


50    100  500  1000 

RETURN  PERKX)  -  YEARS 


5000  10000 


FIG.  12  Expected  Maximum  Wave  Height  Versus  Average  Return  Period 
at  the  Platform  Site 
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FIG.  15  Suitability  for  Service  Evaluation  Based  on  Expected  Minimum 
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Acceptable  and  Marginal  Risks 


67 


SAFETY  EVALUATION  OF  OFFSHORE  INSTALLATIONS  AND  OPERATIONS: 
THE  NORWEGIAN  EXPERIENCE 


Torkell  Gjerstad 
Managing  Director,  Technica  Group,  Norway 

ABSTRACT 

Regulatory  Guidelines  for  Concept  Safety  Evaluation  (CSE)  studies  were  introduced 
in  1981  in  Norway.  This  paper  explains  the  background  to  this  move  by  Norwegian 
authorities,  and  discusses  the  development  of  safety  studies  during  these  eight 
years.  The  current  introduction  of  Regulations  for  the  Use  of  Risk  Analysis  in 
Petroleum  Activities  is  also  addressed. 


1.     The  Early  Years  (1969-1980) 

Drilling  for  oil  and  gas  on  the  Norwegian  Continental  Shelf  (NCS)  started  in 
1965,  but  it  was  not  until  1969  that  the  first  major  field  was  discovered  at 
Ekofisk.  Two  years  later  the  Frigg  Field  was  found,  and  these  two  fields 
dominated  the  early  developments  in  the  Norwegian  sector.  They  were  both 
developed  using  the  same  basic  concept:  separate  wellhead  platforms  tied  into 
major  field  centres  for  processing  and  export  of  oil  and  gas.  The  living  quarters 
(LQ)  were  separated  from  the  main  processing  areas,  i.e.  both  Frigg  and  Ekofisk 
have  stand-alone  jackets  for  the  LQ. 

Three  main  events  were  to  shape  the  way  in  which  Norwegian  authorities  regulate 
major  hazards  in  the  offshore  industry: 

Ekofisk  Alpha,  1975  :  The  failure  of  a  riser  caused  an  explosion 

and  following  fire.  In  the  course  of 
evacuating  the  platform,  three  men  lost 
their  lives  when  the  escape  capsule 
accidentally  dropped  to  the  sea. 

Ekofisk  Bravo,  1977  :  An    unignited    blowout    occurred    during  a 

workover.  No  lives  were  lost. 

Statfjord  Alpha,  1979  :  First  integrated  Processing,   Drilling  and 

Quarters  (PDQ)  platform  comes  into 
production.  The  Norwegian  Petroleum 
Directorate  (NPD)  tells  the  operator  that 
similar  designs  will  not  be  accepted  in  the 
future . 

The  two  events  at  Ekofisk  had  demonstrated  the  major  hazards  potential  of 
offshore  installations,  putting  safety  firmly  on  the  public  agenda  in  Norway.  The 
Statfjord  A  platform  was  designed  in  this  period.  It  represented  a  departure  from 
the  Ekofisk  and  Frigg  concepts:  It  is  a  PDQ  platform  with  mechanical  ventilation 
in  many  hydrocarbon  areas . 
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At  this  time,  the  NPD  preferred  separate  LQ  platforms,  and  they  were  concerned 
about  the  Statfjord  A  design  from  a  major  hazards  point  of  view.  The  operator  at 
the  time  (Mobil)  intended  to  copy  this  design  for  the  B  and  C  platforms  on 
Statfjord.  They  Were  instructed,  however,  by  the  NPD  to  reconsider  the  design, 
which  resulted  in  the  new  design  with  longer  decks  in  order  to  provide  better 
separation  of  the  LQ  from  HC  areas.  This  design  change  was  considered  very 
costly,  and  the  NPD  was  much  criticised  at  the  time  for  demanding  the  change. 

Also  today's  NPD  Regulations  (for  Production  Systems)  states  a  preference  for  the 
separated  concept: 

Consideration  should  be  given  in  each  design  to  the  necessity  to  separate 
the  activities  of  drilling,  production  and  quartering  on  separate 
platforms . 

NPD  wanted  to  avoid  for  the  future  the  kind  of  conflict  which  Statfjord  A  had 
caused.  A  major  criticism  against  NPD  had  been  that  their  objections  regarding 
the  design  had  arrived  at  a  stage  when  the  platform  design  had  been  "frozen". 
They  therefore  initiated  a  project  to  develop  a  Guideline  which  would  lead 
operators  to  consider  major  hazards  in  a  systematic  way  at  the  early  stages  of 
design.  In  1980,  draft  Guidelines  for  "Safety  Evaluation  of  Platform  Conceptual 
Design"  were  issued  to  the  industry.  The  response  was  by  and  large  negative. 

2.      Application  of  Risk  Analysis  (1980-1990) 

The  CSE  Guidelines  were  formally  issued  in  September  1981.  They  represent  an 
alternative  way  of  doing  risk  analysis  of  industrial  plant,  in  that  they  call  for 
probabilistic  methods  to  be  used  in  defining  design  loads.  Previous  experience 
from  the  nuclear  and  chemical  industries  were  more  focused  on  the  estimation  of 
fatal  risk. 

The  Guidelines  do  this  by  concentrating  on  three  main  safety  functions: 

—  escapeways 

—  shelter  area 

—  support  structure. 

The  basic  philosophy  is  that  if  these  three  safety  functions  remain  intact  during 
an  accident,  people  outside  the  immediate  vicinity  of  the  accident  will  be  able 
to  escape  to  the  shelter  area  (normally  the  LQ) ,  which  the  platform  structure 
will  support  until  safe  evacuation  can  take  place. 

It  should  be  noted  that  the  main  objective  of  a  CSE  study  should  be  to  define 
Design  Accidental  Events  (DAE) .  i.e.  the  accidental  loads  which  the  three  safety 
functions  should  be  able  to  withstand.  The  DAE  is  expressed  in  terms  of  heat 
loads,   explosion  overpressures  and  impact  energies. 

Yet,  many  CSE  studies  fail  to  define  the  DAEs  in  a  proper  way,  but  concentrates 
on  the  frequencies  of  Residual  Accidental  Events  (RAE) ,  i.e.  those  events  that 
the  safety  functions  cannot  withstand.  The  result  may  be  that  the  CSE  study  turns 
into  a  numbers  game,  something  it  is  certainly  not  meant  to  be. 
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The  probability  per  year  that  a  safety  function  is  impaired  by  a  given  type  of 
accident  (blowout,  fire  &  explosion,  collisions,  etc.)  is  10"''.  Since  there  are 
nine  types  of  accidents  listed  by  NPD,  one  may  in  theory  end  up  with  a  total 
probability  per  year  of  9x10"''  for  each  of  the  safety  functions.  Most  platforms 
concepts  end  up  in  the  order  of  5x10"''. 

Many  people  question  what  such  a  number  means  in  practice.  It  is  only  by 
considering  a  larger  platform  population  that  we  may  see  more  clearly  what  kind 
of  risk  level  it  implies.  Let  us  for  example  consider  150  installations  in  the 
North  Sea,  and  assume  that  the  average  platform  would  have  a  total  probability 
of  safety  function  impairment  of  5x10"*  per  year.  Hence,  the  total  probability 
per  year  for  this  population  would  be  0.075,  i.e.  once  every  13  years.  This  kind 
of  accident  is  very  severe,  but  not  necessarily  as  catastrophic  as  the  Piper 
Alpha  accident. 

The  data  base  from  which  probability  estimates  can  be  derived  is  today  fairly 
good  in  many  areas.  Databanks  such  as  the  Worldwide  Offshore  Accident  Databank 
(WOAD)  and  the  Offshore  Reliability  Data  (OREDA)  Handbook  provide  reasonable 
data.  Some  operators  and  consultants  have  set  up  special  data  bases  on  e.g. 
blowout  statistics,  platform  leak  frequencies,  dropped  objects,  etc.  Some 
information  is  also  available  from  four  data  bases  operated  by  the  NPD  on 
drilling,  personnel  injury,  pipelines  &  risers  and  on  platform  shutdowns. 

There  will,  however,  always  be  a  continuing  need  to  improve  the  data  bases.  It 
seems  reasonable  to  suggest  that  the  offshore  industry  should  cooperate  more 
extensively  in  this  area.  After  all,  an  accident  very  often  affects  everybody  in 
the  industry,  not  only  the  operator  or  contractor  which  happens  to  own  the 
installation  on  which  the  accident  occurs.  Sharing  your  experience  on  accidents 
and  near-misses  with  others  is  therefore  of  mutual  benefit,  and  the  industry 
should  seek  ways  of  overcoming  confidentiality  problems  (as  was  done  in  the  OREDA 
Proj  ect) . 

As  an  example  of  the  benefit  from  undertaking  a  CSE  study,  we  may  consider  a 
riser  on  a  gas  platform.  This  platform  was  one  of  the  first  to  be  analyzed  using 
the  CSE  approach,  eight  years  before  the  Piper  Alpha  accident.  The  proposed 
design  had  the  pipeline  ESD  valve  located  on  the  upper  deck  of  the  platform, 
close  to  the  pig  launcher.  The  CSE  study  identified  the  significance  of  knock-on 
effects  from  the  process  area  below,  and  proposed  to  move  the  ESD  valve  to  a 
lower  location  inside  the  Module  Support  Frame. 

2.1      Other  Types  of  Safety  Assessment 

The  CSE  study  is  the  main  vehicle  for  demonstrating  safe  conceptual  design.  Most 
operators  on  the  NCS  do  also  use  other  types  of  safety  assessments  at  various 
stages  of  design  and  operation.  The  most  common  ones  are  listed  below: 

HAZOP  :  Hazard     and     Operability     studies     are     in  practice 

mandatory.  The  process  HAZOP  is  usually  performed  in  the 
detail  engineering  phase. 

Technica  has  pioneered  the  use  of  Drillers'  HAZOP  on 
special  drilling  and  well  intervention  operations.  The 
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technique  is  conimonly  applied  to  operations  involving 
simultaneous  activities.  More  recently,  the  HAZOP 
technique  has  also  been  successfully  applied  to  evaluate 
the  reliability  of  safety  systems. 

Some  operators  have  conducted  a  risk  analysis  aimed  at 
complete  quantification  of  risk  to  personnel, 
environment  and  installations.  The  TRA  study  is  useful 
for  establishing  the  total  risk  profile  of  the 
installations,  thereby  enabling  decisions  regarding 
safety  to  reflect  the  importance  of  various  hazards . 

Evacuation  studies  are  used  to  assess  the  process  of 
getting  off  the  installation  in  more  detail  than  is 
usually  done  in  the  CSE.  It  is  becoming  a  requirement 
today  for  the  operator  to  base  the  emergency  response 
system  on  the  specific  accident  and  evacuation  scenarios 
of  the  installation. 

Most  operators  today  perform  simulation  studies  to 
assess  the  production  regularity  of  the  installations 
and  transport  network.  Although  not  a  safety  study, 
these  studies  link  with  the  CSE  or  TRA  when  it  comes  to 
assessing  accidental  risk  of  production  interruption. 

3 .        Risk  Acceptance  Criteria 

The  use  of  Quantified  Risk  Assessment  (QRA)  assumes  that  the  risk  result  be 
compared  with  some  defined  target  or  acceptance  criterion,  in  order  to  decide 
whether  the  calculated  risk  level  is  deemed  acceptable,  or  whether  risk-reducing 
measures  should  be  implemented. 

Who  is  the  legitimate  decision-maker  for  risk  acceptance  criteria?  It  used  to  be 
that  this  was  not  an  issue,  when  regulation  was  based  on  detailed  technical  and 
operational  requirements,  and  the  acceptable  risk  level  was  not  stated 
explicitly.  The  regulatory  bodies  would  then  decide  the  requirements,  and 
implicitly  also  the  risk  level. 

When  NPD  issued  their  CSE  Guidelines  in  1981,  the  acceptance  criteria  stated  were 
of  a  qualitative  nature,  basically  requiring  safe  escape  for  anybody  who  would 
be  outside  the  "immediate  vicinity"  of  an  accident.  It  was,  however,  recognised 
that  the  most  unlikely  events  would  have  to  be  excluded  from  consideration,  and 
NPD  therefore  made  reference  to  a  probabilistic  target  in  the  methodology  section 
of  the  Guidelines.  This  target  (10"'')  has  since  been  widely  referred  to  as  the 
acceptance  criterion  for  platform  concept  safety,  and  it  may  be  argued  that  this 
is  indicative  of  the  industry's  need  to  work  against  common,  well— established 
risk  acceptance  criteria. 

NPD  is  aiming  to  change  the  way  in  which  oil  companies  go  about  their  acceptable 
risk  decision-making.  In  the  1991  Risk  Analysis  Regulations,  no  acceptance  target 
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is  stated,  and  the  oil  companies  will  be  required  by  law  to  establish  their  own 
acceptance  criteria.  This  is  somewhat  in  contrast  to  earlier  statements  from  NPD 
that  all  installations  should  be  "equally  safe".  The  main  reason  given  by  NPD  for 
this  change  is  that  the  setting  of  acceptance  criteria  by  the  oil  companies 
themselves  will  elevate  the  decision-making  to  an  appropriate  level  in  the 
organisation,  involving  senior  management  input.  There  is  obviously  a  chance  that 
different  oil  companies  will  generate  different  risk  acceptance  levels,  but  NPD 
claim  they  would  be  in  a  position  to  moderate  any  outliers. 

The  NPD  approach  is  in  contrast  to  the  Cullen  Report's  recommendation  #5 
concerning  acceptance  standards  for  risk:  "For  the  time  being,  it  should  be  the 
regulatory  body  which  sets  these  standards". 

How  prepared  the  Norwegian  offshore  industry  is  to  prepare  their  own  risk 
acceptance  criteria  is  probably  premature  to  judge.  It  is  going  to  be  interesting 
to  see  how  NPD  will  deal  in  practice  with  differences  in  the  criteria.  It  will 
be  a  requirement  to  communicate  risk  results  to  the  work  force,  and  it  would  seem 
unlikely  that  safety  representatives  and  the  unions  would  accept  higher  risk 
levels  on  their  installation(s)  compared  with  other  installations.  The  industry 
is  afraid  the  setting  of  acceptance  criteria  could  turn  into  some  kind  of  a 
competition  between  the  oil  companies,  in  which  the  authorities  could  play  one 
company  against  others. 

The  Norwegian  Oil  Industry  Association  (OLF)  is  therefore  putting  together  a 
working  group  on  risk  acceptance  criteria.  Some  operators  are  performing  in-house 
studies  to  establish  the  feasibility  of  proposed  criteria,  by  doing  pilot  studies 
of  various  offshore  installations  concepts.  It  should  be  recognised  that  arriving 
at  practical  risk  criteria  is  a  challenging  task,  most  often  requiring  iterations 
before  reasonable  criteria  can  be  fixed.  It  is  therefore  mandatory  that  NPD  will 
allow  these  iterations  to  take  place,  probably  over  several  years,  even  though 
the  new  Regulations  require  the  risk  criteria  to  be  fixed  in  advance  of  the  QRA 
s  tudy . 

The  common  trap  is  to  be  too  ambitious  when  establishing  criteria,  or  to  state 
some  criteria  without  considering  in  detail  the  practical  necessity  and 
technicalities  of  meeting  the  criteria.  An  example  is  simultaneous  drilling  and 
production  operations ,  where  a  number  of  operators  have  laid  down  a  criterion 
stating  that  no  risk  increase  should  result  from  such  operations  compared  with 
carrying  out  the  operations  in  sequence.  Even  though  lay-out,  design,  and 
operational  measures  may  eliminate  the  risk  of  one  operation  affecting  the  other, 
there  will  still  be  risk  increase:  the  drilling  crew  will  be  exposed  to 
production  risks  and  vice  versa.  Such  a  criterion  is  therefore  likely  to  be 
impossible  to  meet. 

It  is  important  to  keep  in  mind  that  acceptance  criteria,  risk  analysis 
methodology  and  data  input  go  hand  in  hand.  Due  to  uncertainties  in  the  modelling 
and  the  statistical  failure  frequency  data,  one  may  end  up  accepting  or  rejecting 
a  design  or  operation,  depending  on  the  method  being  applied.  It  is  therefore 
worthwhile  for  an  oil  company  and  perhaps  the  industry  as  a  whole  to  consider 
agreeing  to  some  standardised  tools  for  offshore  risk  analysis.  This  has  been 
quite  common  with  some  companies  e.g.  when  evaluating  the  need  for  subsea 
isolation  valves. 
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4.         Risk  Analysis  Methodology 


Risk  analysis  is  a  means  for  communication.  It  is  an  inter-discipline  activity 
which  requires  input  and  participation  from  several  parties  in  order  to  achieve 
the  best  results.  Key  areas  include  communications  with 

—  project  disciplines 

—  project  and  operations  management 

—  offshore  supervisors 

—  offshore  personnel  and  safety  representatives 

—  authorities 

The  methods  we  use  and  the  way  risk  analyses  are  documented  and  communicated  must 
reflect  the  communication  function.  I  think  it  is  generally  true  that  many  risk 
analysis  studies  and  reports  do  not  provide  the  maximum  possible  benefit  to  the 
users,  because  the  analyst  fails  to  explain  the  work  done  and  the  results  in  a 
format  which  is  readily  accessible  and  useful.  This  could  typically  relate  to 
"black-box"  methodologies  (in  which  the  user  will  have  little  faith),  lack  of 
traceability ,  failure  to  transform  recommendations  into  "what— to— do"  items,  etc. 
Most  risk  analysts  would  do  themselves  and  the  users  a  favour  by  spending  more 
of  the  time  available  on  interpreting  results,  and  less  time  on  calculations. 

Communicating  risk  results  to  operations  personnel,  safety  representatives  and 
unions  is  going  to  be  a  challenging  area.  The  new  NPD  Regulations  make  this  an 
explicit    requirement    (Section    14):     "Results    from    risk    analyses    shall  be 

communicated  to  the  employees  ".   This  puts  added  emphasis  on  the  need  for 

transparent,  clear  and  practical  approaches  to  risk  analysis,  and  is  hopefully 
going  to  advance  the  benefit  from  undertaking  such  studies. 

Some  methodologies  for  risk  analysis  lend  themselves  quite  well  to  communication 
by  themselves.  The  ideal  example  is  the  HAZOP  (Hazard  and  Operability)  study 
technique,  pioneered  by  ICI  for  systematic  review  of  process  design  and 
operation.  The  same  principle  has  since  been  adopted  for  review  of  drilling 
operations  (Lewis  &  Ostebo,  1989).  It  is  very  encouraging  that  simple  (yet 
systematic)  techniques  combined  with  inter-discipline  participation  generate  very 
practical  and  immediate  results. 

The  hazard  identification  part  of  any  risk  analysis  is  critical,  since  both 
consequence  and  probability  assessment  rely  on  the  assumption  that  all 
significant  hazards  have  been  found,  and  hence  can  be  analysed.  Hazard 
identification  is  the  starting  point  where  co-operation  with  design  engineers  and 
operating  personnel  can  be  very  crucial.  It  is  my  experience  that  more  attention 
should  be  paid  to  this  activity,  particularly  since  analysts  trained  in  this  area 
have  an  inclination  towards  concentrating  on  the  consequence  and/or  probability 
aspects.  Achieving  excellence  in  hazard  identification  is  strongly  experience- 
based,  and  it  is  therefore  more  difficult  to  train  analysts  for  this  purpose.  The 
application  of  artificial  intelligence  technology  should  therefore  be  considered 
as  a  means  to  accumulate  knowhow  and  making  it  available  to  risk  analysts. 

When  developing  and  selecting  techniques  for  consequence  and  probability 
assessments,   two  key  features  must  be  considered: 


74 


The  modelling  should  be  able  to  reflect  realistically  design 
features  which  definitely  affect  the  level  of  risk.  Examples 
of  such  features  include  ESV  location  (hydrocarbon  inventory) , 
number  of  gas  detectors,  etc.  This  may  sound  like  an  obvious 
requirement,  yet  many  risk  analyses  fail  to  reflect  such 
aspects,  with  resulting  frustration  and  lack  of  credibility 
with  the  decision— maker . 

The  level  of  detail  in  the  modelling  must  match  the 
availability  and  quality  of  experience  data.  It  is  of  very 
limited  use  to  develop  models  for  e.g.  gas  cloud  ignition 
which  incorporates  delayed  ignition  events,  if  little  or  no 
data  can  be  found  to  estimate  the  fraction  of  ignitions  which 
are  delayed,  and  for  how  long  the  delay  is  likely  to  last. 

The  two  above  aspects  are  sometimes  contradicting  each  other,  since  a  high  degree 
of  realism  may  require  data  inputs  which  are  virtually  non-existent.  It  is 
nevertheless  the  duty  of  industry,  authorities,  research  institutions  and 
consultants  to  constantly  strive  for  improved  realism  in  the  risk  analyses,  by 
devoting  adequate  resources  and  creativity  into  this  area. 

Fairly  good  databases  have  developed  over  the  last  decade  for  offshore  risk 
analysis  use.  The  industry  co-operation  in  the  OREDA  Project  since  1983  is  an 
excellent  example  in  this  respect.  Commercial  databases  like  WOAD  by  Veritec  and 
BLOWOUT  by  Technica  provide  unique  data  input  to  many  users.  Currently,  the  E&P 
Forum  is  launching  an  initiative  to  improve  the  failure  frequency  data  for 
offshore  QRA.  The  industry  has  come  to  believe  that  co-operation  in  this  area  is 
a  must,  since  no  single  oil  company  can  accumulate  enough  experience  on  rare 
events  by  themselves.  Confidentiality  issues  should  not  be  allowed  to  sabotage 
exchange  and  use  of  the  best  possible  data  base,  since  lack  of  quality  data  can 
only  harm  the  industry.  Overestimating  or  underestimating  the  risks  are  equally 
bad  in  the  long  run. 

The  regulatory  bodies  may  have  a  role  to  play  in  establishing  good  data  bases. 
The  NPD  have  4  different,  computerised  data  bases  for  personnel  injuries, 
drilling  operations,  production  upsets  and  pipelines  &  risers.  Up  till  now,  very 
limited  information  has  been  available  to  outside  parties  from  these  data 
sources,  partly  because  of  confidentiality  issues,  and  partly  because  of 
differences  of  opinion  as  to  whether  it  is  the  function  of  a  regulatory  body  to 
disseminate  this  kind  of  information.  There  are,  however,  signs  that  the 
situation  is  changing,  and  that  more  data  may  become  available  from  NPD.  It  is 
interesting  to  note  that  the  Cullen  Report  recommends  a  regulatory  initiative  in 
this  area  (recommendation  #39): 

The  regulatory  body  should  be  responsible  for  maintaining  a  database  with  regard 
to  hydrocarbon  leaks .  spills  and  ignition  in  the  industry  and  for  the  benefit  of 
the  industry.  The  regulatory  body  should: 

(i)  discuss  and  agree  with  the  industry  the  method  of  collection 

and  use  of  the  data. 


Realism: 


Data  Matching: 
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(ii) 


regularly  assess  the  data  to  determine  the  existence  of  any 
trends  and  report  them  to  the  industry,  and 


(iii)  provide   operators  with  a  means   of  obtaining  access   to  the 

data,  particularly  for  the  purpose  of  carrying  out  quantified 
risk  assessment. 

Another  aspect  to  consider  concerning  risk  analysis  methodology  is  the  need  for 
updating  the  studies .  The  Cullen  Report  recognises  the  need  for  updates  every  3-5 
years  (recommendation  #10) .  The  new  NPD  Regulations  require  risk  analyses  to  be 
updated  "to  follow  the  progress  of  the  activities"  (Section  15).  The  aim  should 
be  to  ensure  the  risk  analysis  is  maintained  to  provide  a  relevant  basis  for 
decision-making,  reflecting  the  status  of  the  installation.  Experience  indicate 
that  updating  3-5  year  old  risk  analyses  requires  a  major  effort,  and  a 
computerised  tool  and  model  would  certainly  help  in  making  such  updating  feasible 
and  efficient  to  carry  out. 

5.         Risk  Analysis  Contracts 

Most  offshore  risk  analyses  are  performed  by  consultants.  It  is  a  general 
observation  that  the  quality  and  practical  benefit  from  such  studies  will  be 
enhanced  whenever  the  client  has  some  in-house  expertise  to  define,  co-ordinate 
and  follow-up  such  studies.  Oil  companies  should  therefore  train  some  of  their 
staff  to  take  on  this  role,  in  order  to  make  the  best  possible  use  of  consultants 
by  putting  forward  demands  which  aim  at  excellence  and  contribute  to  progressing 
state-of— the— art  in  risk  analysis  technology.  An  important  role  for  the  co- 
ordinator is  to  enable  good  communications  between  the  risk  team  and  the 
engineering  or  operations  people.  Having  some  in— house  expertise  is  also,  going 
to  provide  a  better  opportunity  for  ensuring  practical  implementation  of  results 
and  updating  of  the  risk  analyses. 

Competition  between  risk  analysis  consultants  is  very  healthy.  It  challenges 
creativity  and  stimulates  excellence  by  those  who  intend  to  stay  in  the  risk 
analysis  consultancy  market.  Competing  on  the  combination  of  quality  and  price 
is  obviously  something  no  professional  consultancy  would  object  to.  There  is, 
however,  a  risk  that  consultants  end  up  "competing"  on  behalf  of  the  client's 
level  of  ambition.  It  is  after  all  difficult  to  write  a  risk  analysis  scope  of 
work  to  a  level  of  detail  and  clarity  which  enables  consultants  to  arrive  at  the 
same  understanding  of  what  is  wanted.  Hence,  consultants  may  end  up  squeezing  the 
ambitions,  e.g.  by  lowering  the  level  of  detail  of  the  risk  analysis,  in  order 
to  arrive  at  a  price  which  is  not  significantly  above  that  of  competitors.  Only 
the  more  experienced  users  of  risk  analysis  may  be  able  to  identify  the 
significance  of  a  difference  in  approach,  methodology  and  man-hour  input.  There 
is  evidence  in  the  Norwegian  Sector  that  this  "squeezing  effect"  has  lowered  the 
efforts  put  into  e.g.  CSE  studies.  These  studies  used  to  require  in  the  order  of 
2000  man-hours,  and  it  is  today  not  uncommon  to  spend  as  little  as  4-500 
manhours .  The  total  difference  is  not  attributable  to  improved  efficiency  in 
undertaking  the  study. 

A  practice  which  is  not  uncommon  in  Norway  is  to  parcel  out  risk  analysis 
contracts,   commissioning  several  small  studies  one  at  the  time.  This  is  in  my 
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view  a  practice  which  does  not  benefit  any  party  from  a  commercial  point  of  view, 
and  which  also  most  likely  deteriorates  the  practical  benefit  from  undertaking 
risk  analysis  studies.  The  total  efforts  spent  on  risk  analysis  studies  is  after 
all  quite  modest  compared  with  the  total  engineering  efforts.  An  offshore 
development  project  may  typically  spend  10,000  man-hours  on  risk  and  safety 
studies.  It  would  therefore  seem  like  a  good  idea  to  establish  one  consultancy 
contract  for  all  of  these  studies.  This  would  enable  stiffer  competition  on 
price,  and  enable  better  continuity  and  coordination  between  the  studies.  Part 
of  the  contract  could  involve  secondment  of  personnel  to  the  client  organisation, 
which  would  improve  relations,  communications  and  understanding  of  the  client's 
needs.  Better  planning  and  resourcing,  with  less  risk  of  extreme  time  pressure 
(a  not  uncommon  feature)  would  also  result. 

6.        Using  Risk  Analysis 

A  key  challenge  for  any  user  of  risk  analysis  is  to  identify  (in  a  timely  manner) 
when  one  can  benefit  from  doing  a  study,  and  to  define  a  scope  of  work  which  is 
tailored  to  the  decision-making  context.  Risk  analyses  should  always  link  to  a 
decision  problem,  i.e.  it  is  a  decision  support  tool.  It  follows  that  one  most 
likely  does  not  need  a  risk  analysis  if  no  reasonably  well— defined  decision 
problem  is  on  the  table,  and  we  have  on  more  than  one  occasion  advised  our  client 
not  to  undertake  a  proposed  study. 

Risk  analysis  very  much  originated  in  the  nuclear  industry,  where  acceptable  risk 
problems  dominate  the  discussion.  Risk  analysis  in  the  offshore  industry  has 
become  more  of  a  design  tool,  aimed  at  defining  design  accidental  loads.  Nobody 
should  be  satisfied  with  risk  analyses  which  concentrate  on  highlighting  problem 
areas,  but  fall  short  of  coming  up  with  solutions  to  these  problems. 

It  is  important  we  remind  ourselves  that  risk  analysis  in  itself  does  not  improve 
safety.  Only  practical  measures  aimed  at  technical,  procedural  and  organisational 
improvements  will  do  this.  It  is  therefore  important  to  incorporate  human  factors 
in  risk  and  safety  studies,  and  to  acknowledge  the  importance  of  human  error  not 
only  when  reviewing  experience  data,  but  also  when  analyzing  safety  and 
reliability. 

It  is  furthermore  vital  that  planned,  systematic  follow-up  takes  place,  in  order 
to  ensure  that  recommendations  and  assumptions  made  are  implemented  in  real  life. 
This  is  a  bit  like  "fitting  the  terrain  to  the  map",  i.e.  to  make  sure  the 
installation  as  built  and  operated  conforms  with  the  model  (drawings,  P&Ids , 
etc.)  on  which  the  risk  analysis  was  made.  If  this  is  not  the  case,  then  the  risk 
results  and  the  decisions  that  followed  may  be  irrelevant.  One  way  to  help 
accomplish  this  is  to  establish  a  computerised  risk  accounting  system,  which 
contains  all  recommendations  and  critical  assumptions  made  in  risk  and 
reliability  studies.  The  system  should  reference  where  the  recommendations  and 
assumptions  arise  from,  and  define  the  person/discipline  responsible  for  follow- 
up.  Lists  may  then  be  generated  per  discipline  (with  deadlines)  ,  making  practical 
follow-up  feasible.  The  risk  accounting  system  should  be  transferred  to  the 
operations  division  once  the  engineering  and  construction  periods  are  completed. 
A  typical  risk  accounting  system  could  hold  some  3-500  items,  and  is  very 
valuable  when  updating  risk  analyses.  The  system  should  also  be  used  for 
recording    implementation    (e.g.    by    reference    to    an    engineering  drawing), 
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alternatively  to  record  why  a  reconunendation  was  not  implemented,  and  on  what 
basis  this  decision  was  made. 

In  the  early  days  of  performing  CSE  studies  in  the  Norwegian  Sector,  it  was 
common  practice  to  submit  the  study  report  to  NPD  without  much  comment  from  the 
operator.  This  practice  has  now  ended,  with  NPD  placing  firm  emphasis  on  the 
principle  of  internal  control  (operator's  safety  management  system),  wanting  to 
know  from  the  operator: 

—  does  he  support  the  methods  and  data  used? 

—  does  he  agree  with  the  conclusions? 

—  who  defined  the  acceptance  criteria? 

—  which  recommendations  will  be  implemented? 

—  what  system  is  in  place  for  follow-up? 

Primary  emphasis  is  thus  put  on  how  risk  analysis  has  influenced  design  and 
operations,   i.e.  on  practical  results.  Nothing  else  matters  much. 

7 .  Conclusion 

Risk  analysis  have  been  actively  used  in  the  Norwegian  offshore  industry  during 
the  last  ten  years.  From  a  start  where  the  industry  was  largely  skeptical  to 
probabilistic  assessment,  the  use  of  risk  analysis  is  today  widely  accepted  as 
a  practical  tool  for  design  purposes  and  decision-making. 

The  UK  and  Norwegian  sectors  of  the  North  Sea  now  have  very  common  regulatory 
requirements  for  offshore  risk  analysis.  Quantitative  risk  analysis  has  been 
recognised  as  a  practical  tool  for  improved  decision-making.  A  key  challenge 
facing  the  regulatory  bodies  and  the  industry  is  to  develop  reasonable  risk 
acceptance  criteria,  and  to  provide  risk  analysis  methodologies  which  allow 
realistic  modelling  which  reflect  platform-specific  features  in  design  and 
operation.  Cooperation  will  be  needed  to  establish  robust  data  bases,  and  it  is 
important  to  recognise  that  the  perhaps  most  difficult  job  starts  when  the  risk 
analysis  if  finished:  practical  implementation  of  results. 
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REPORT  OF  WORKING  GROUP  #1 


EXPERIENCE  DATA  BASES  AND  CASE  STUDY  ANALYSES 

Robert  C.  Visser 
and 

Torkell  Gjerstad 

1 .  Introduction 

The  working  group  involved  in  discussing  and  analyzing  "Experience  Data  Bases  and 
Case  Study  Analyses"  consisted  of  sixteen  people  with  a  wide  range  of  experience. 
The  working  group  included  representatives  of  oil  companies,  engineering 
companies,  consulting  companies,  and  the  Minerals  Management  Service.  A  list  of 
the  members  of  Working  Group  1  is  included  at  the  end  of  this  report. 

The  scope  of  the  working  group  was  defined  as  reviewing  the  potential  use  and 
usability  of  existing  offshore  reliability  and  accident  databases,  establishing 
requirements  and  needs  for  future  databases  and  determining  ways  in  which  greater 
industry  participation  and  acceptance  can  be  accomplished. 

Three  theme  papers  were  presented  by  the  co-chairmen  during  the  working  session, 
Mr.  Visser  presented  a  paper  entitled  "Offshore  Accidents  —  Lessons  To  Be 
Learned".  This  paper  reviewed  major  accidents  that  have  had  a  major  influence 
on  improving  the  reliability  of  offshore  operations.  Mr.  Gjerstad  presented 
theme  papers  entitled  "Brief  Review  of  the  Oreda  Project"  and  "Data  Collection 
on  Hydrocarbon  Leaks  and  Ignitions  -  The  E&P  Forum  Approach" .  The  first  paper 
discusses  the  results  from  the  ongoing  Oreda  reliability  data  collection  project. 
The  second  paper  discusses  the  planned  approach  for  a  new  data  collection  project 
by  the  E&P  Forum. 

2 .  State  of  Practice 

The  increasing  use  of  probabilistic  risk  analysis  methods  to  evaluate  the 
reliability  of  offshore  operations  has  brought  with  it  a  demand  for  reliable 
information  of  historical  events.  As  a  result  there  are  now  a  large  number  of 
offshore  related  databases  of  varying  sizes  in  existence.  There  are  databases 
run  by  governments,  industry  associations,  universities,  consultants  and  oil 
companies.     The  quality  of  these  databases  varies  greatly. 

There  was  a  discussion  what  organization,  i.e.  industry  or  government  might  be 
best  qualified  to  obtain  and  gather  data.  A  government  organization  has  the 
regulatory  power  to  ensure  that  the  data  collection  is  complete  and  from  all 
operators.  A  further  advantage  is  that  the  information  is  public  and  available 
to  all  interested  parties.  Industry  data  collection  requires  cooperation  between 
a  number  of  companies  and  data  will  not  be  available  to  outsiders.  On  the  other 
hand  the  data  collection  effort  can  be  directed  to  specific  objectives  that  are 
only  of  interest  to  the  participants. 
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There  are  basically  three  types  of  databases  that  are  of  potential  use  to  the 
offshore  oil  industry.  These  are  (1)  accident  or  event  databases,  (2)  accident 
or  event  frequency  databases,  and,   (3)  equipment  reliability  databases. 

2.1  Accident  databases 

An  example  of  the  first  type  of  database  is  the  offshore  events  file  being 
maintained  by  the  Minerals  Management  Service.  The  database  was  initiated  in 
1971  to  keep  track  of  blowouts,  fires,  explosions,  oil  spills  and  fatalities  in 
the  federal  waters  of  the  Gulf  of  Mexico.  At  the  present  time  it  contains  more 
than  4700  events  which  go  back  to  1965.  This  data  comes  from  a  population  of 
some  3700  platforms.  Prior  to  1971  only  major  blowouts  and  fires  were  entered. 
In  1971  the  regulations  were  revised  requiring  all  operators  to  report  all  fires, 
explosions,  oil  spills  greater  than  one  barrel,  and  fatalities  to  the  Minerals 
Management  Service.  The  data  is  currently  located  in  the  GYPSY  database  program. 
This  is  a  non-standard  program  and  precludes  the  data  from  being  readily 
accessible.  The  data  is  at  present  being  converted  into  the  dBase  IV  format, 
which  will  greatly  improve  accessibility  and  use  by  industry.  Currently  the 
system  is  not  being  used  much  outside  the  Minerals  Management  Service.  It  was 
reported  that  the  Minerals  Management  Service  has  only  five  to  ten  inquiries  per 
year  for  data. 

The  Minerals  Management  Service  offshore  events  file  is  not  currently  tied  in  to 
the  population  data  and  frequency  data  are,   therefore,  not  readily  available. 

Another  example  of  this  type  of  database  is  the  worldwide  accident  database 
compiled  by  the  Institute  Francais  du  Petrole.  There  are  also  a  number  of 
specialized  accident  databases  being  maintained  by  individual  oil  companies, 
insurance  companies,  etc.  Examples  are  mobile  drilling  unit  failures,  offshore 
worker  fatalities,  etc. 

2.2  Accident  frequency  databases 

There  are  a  number  of  accident  databases  that  are  tied  in  to  the  population  data. 
One  example  is  the  Worldwide  Offshore  Accident  Database  (WOAD)  database  being 
maintained  by  Veritec,  a  subsidiary  of  Det  Norske  Veritas.  Data  has  been 
collected    since    1970.  Access    to    this    database    is    expensive    and  annual 

membership  fees  are  in  the  order  of  $5,000  per  year.  Veritec  does  publish  a 
statistical  summary  report  every  other  year  which  is  available  at  a  lesser  cost. 

2.3  Reliability  databases 

An  example  of  an  offshore  equipment  reliability  database  is  the  Offshore 
Reliability  Data  (OREDA)  database  program. 

The  program  was  launched  in  1983  after  a  pilot  project.  As  an  illustration  of 
the  difficulty  of  getting  one  of  these  programs  organized  is  the  fact  that  it 
took  five  years  of  crusading  to  get  Phase  1  of  Oreda  in  operation  with  eight 
companies.  There  are  now  nine  or  ten  oil  companies  sponsoring  a  Phase  3  data 
collection  effort  in  this  program.  The  Phase  1  data  results  were  published  in 
a  handbook  which  is  now  available  for  free.  Data  from  Phases  2  and  3  are  not 
available  to  non-participants  because  it  is  in  computer  format  and  only  available 
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to  the  participants.  Two  U.S.  companies,  i.e.  Phillips  and  Exxon,  have  recently 
joined  OREDA.  This  is  a  shift  from  the  early  eighties  when  there  were  only 
European  participants. 

The  E&P  Forum  has  recently  initiated  a  program  to  gather  hydrocarbon  release 
data.  This  program,  which  started  this  year,  has  two  objectives.  One  is  to 
develop  data  collection  guidelines  for  hydrocarbon  leak  and  emission  events.  The 
second  objective  is  to  set  up  an  initial  database  of  release  data. 

The  data  collection  guidelines  will  be  available  to  anyone  who  wants  them.  The 
initial  database  of  release  information  will  also  be  available  (not  necessarily 
for  free  but  at  a  reasonable  price)  because  it  is  in  the  interest  of  the  E&P 
forum  to  make  the  collection  effort  itself  as  broad  as  possible. 

The  Minerals  Management  Service  has  been  collecting  since  1988  a  database  on 
structural  platform  inspections.  In  that  year  reporting  of  the  structural 
condition  of  offshore  platforms  became  mandatory.  With  some  3700  platforms  in 
the  Gulf  of  Mexico  and  a  requirement  that  each  platform  be  inspected  at  least 
once  every  five  years ,  this  will  in  a  few  years  become  an  extremely  valuable 
database.  This  database  will  be  particularly  important  for  determining 
deterioration  trends  as  offshore  platforms  become  older  and  require  increased 
maintenance  and/or  repair. 

3 .         Problem  Areas 

3.1      Misuse  of  information 

Misuse  of  the  information  from  a  database  is  one  of  the  concerns  in  the  use  of 
databases  in  the  offshore  oil  industry.  The  data  may  be  misinterpreted  by  a 
regulatory  agency.  For  instance,  a  statistical  review  of  failure  rates  of  fixed 
and  flexible  risers  may  lead  to  the  conclusion  that  flexible  risers  are  more 
hazardous.  Based  on  this  data  a  regulatory  agency  might  wish  to  ban  the  use  of 
flexible  risers.  If  databases  are  used  for  such  a  purpose  they  are  indeed  being 
misused.  The  database  in  this  example  should  be  used  to  determine  what  causes 
the  flexible  riser  failures  and  to  make  improvements  rather  than  banning  them 
from  use . 

The  same  concern  has  been  raised  with  databases  that  use  manufacturers'  names. 
One  could  perceive  from  such  a  database  that  one  manufacturer  has  an  advantage 
over  another  one.  That  concern  turned  out  to  be  overstated.  The  OREDA  database 
in  its  Phase  1  program  used  only  generic  names  without  mentioning  the 
manufacturer  names.  This  was  changed  in  the  later  phases  where  manufacturers 
names  are  now  included.  This  really  benefits  the  industry.  How  else  is  the 
manufacturer  going  to  get  information  so  that  the  product  can  be  improved? 

These  are,  however,  traditional  concerns  and  come  up  each  time  a  new  database  is 
being  proposed. 
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3.2  Confidentiality 


Joint  industry  programs  restrict  access  to  the  data  to  only  those  companies  that 
participate  in  the  program.  For  instance,  the  current  OREDA  information  is  not 
available  to  outsiders  and  this  limits  the  usefulness  of  applying  the  data  that 
has  been  generated.  The  reason  is,  of  course,  that  otherwise  it  will  be 
impossible  to  get  a  joint  industry  program  started. 

3 . 3  Taxonomy 

The  various  databases  currently  in  existence  use  a  great  variety  of  methods  for 
data  collection.  It  would  have  been  beneficial  if  a  standard  methodology  had 
been  adopted  for  the  data  collection.  ^ 

In  this  connection  it  was  mentioned  that  there  is  an  European  organization, 
EuReDatA  (European  Reliability  Database  Association)  ,  which  has  been  in  existence 
for  eighteen  years  and  has  an  offshore  subcommittee.  The  association  has 
developed  a  taxonomy,  i.e.  an  equipment  inventory  system,  for  its  user  members. 

3.4  Legal  Problems 

Legal  concerns  include  the  misuse  of  data  in,  for  instance,  liability  court  cases 
involving  negligence.  This  is  not  much  of  a  concern  in  Europe  but  it  is  a 
potential  problem  in  the  United  States  and  may  keep  companies  from  participating 
in  a  database  program.  Since  there  were  no  attorneys  in  the  work  group  it  was 
decided  that,  if  the  industry  really  wants  to  do  something  jointly,  that  these 
concerns  can  be  overcome.  It  was  mentioned  that  the  airline  industry  has  been 
quite  successful  in  establishing  and  maintaining  equipment  failure  databases 
without  apparent  legal  difficulties. 

4.         Research  Needs 

4.1  Case  Analyses 

There  is  still  a  need  to  convince  people  in  the  industry  that  it  is  important  to 
collect  information  for  databases.  It  was  felt,  therefore,  that  it  would  be 
worthwhile  to  collect  a  series  of  case  analyses  that  demonstrate  the  usefulness 
of  having  databases  available. 

These  case  analyses  should  include  not  only  quantitative  analysis  of  risk  to 
people  on  a  platform  but  also  analyses  that  are  used  to  determine  an  optimum 
solution  for  a  particular  production  operation  approach.  There  are  examples 
available  where  an  operator  was  able  to  demonstrate  through  a  risk  analysis  that 
a  better  and  cheaper  solution  was  superior  to  one  that  followed  the  exact 
regulatory  requirement. 

4.2  Minerals  Management  Service  Events  File 

The  Minerals  Management  Service  events  file  is  not  currently  tied  in  to  the 
population  data.  Population  data,  however,  has  been  collected  in  other  available 
databases  of  the  Minerals  Management  Service.     The  working  group  felt  that  it 
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would  be  extremely  worthwhile  to  incorporate  the  population  data  into  the  events 
file.  If  this  is  done  there  would  be  an  excellent  and  very  extensive  database 
available  for  U.S.  offshore  operations. 

4.3  Offshore  Database  Directory 

There  are  many  offshore  databases  already  available  that  are  not  widely  known. 
The  working  group  believes  that  it  would  be  very  useful  to  compile  a  listing  of 
databases  that  already  exist  in  a  single  report.  Such  a  directory  should  include 
the  ownership,  characteristics,  cost  and  actual  or  potential  application  of  the 
databases , 

4.4  E&P  Forum  Data  Calibration 

When  data  from  the  E&P  forum  database  becomes  available  later  this  year  it  would 
be  very  worthwhile  to  calibrate  and  check  this  data  against  the  data  available 
from  the  Minerals  Management  Service  events  file. 

4 . 5  Expand  OREDA  membership 

The  OREDA  database  provides  equipment  reliability  data.  Although  originally  set 
up  by  North  Sea  operators,  two  U.S.  companies  have  recently  joined.  The  OREDA 
group  is  quite  anxious  to  cooperate  with  the  U.S.  offshore  industry  and/or  expand 
its  membership  to  have  more  U.S.  participation  and  make  the  database  more  widely 
accessible  and  complete.  One  possibility  might  be  a  U.S.  chapter  of  OREDA  rather 
than  having  a  separate  activity. 

4.6  Organizational  and  Human  Factors  Failures  Database 

The  need  for  databases  addressing  the  origin  of  accidents  due  to  organizational 
and  human  factors  was  mentioned.  Although  there  are  some  databases  that  devote 
themselves  almost  exclusively  to  human  factors,  such  as  the  Norwegian  Petroleum 
Directorate's  databases  on  drilling  injuries,  there  is  a  problem  segregating  the 
human  and/or  organization  element  from  the  other  causes  in  databases.  It  may  be 
possible  to  do  so  from  the  OREDA  equipment  reliability  databases  either  in  its 
current  form  or  in  an  expanded  format. 

4.7  Perform  Technical  Audits 

Outside  technical  audits  of  offshore  platform  facilities  may  be  one  method  of 
improving  offshore  reliability. 

For  instance,  one  of  the  recommendations  made  by  the  technical  advisors  to  the 
Ocean  Ranger  Royal  Commission  was  that  mobile  rigs  entering  Canada  should  be 
required  to  submit  to  a  technical  audit.  Much  like  financial  system  audits,  the 
technical  auditor  should  report  not  to  the  field  management,  or  the  project  team, 
but  to  the  highest  level  in  the  owner's  organization. 

The  audit  work  should  concentrate  not  so  much  on  nitty-gritty  detail  and  nominal 
compliance  with  regulations  and  standards,  but  with  fundamental  platform  safety 
and  life  safety,  reviewing  systems,  training,  etc.  with  a  view  to  reporting  on 
the  problems  that  everyone  else  has  missed.  This  is  one  of  the  few  methods  of 
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detecting  potential  "human  error"  problems. 
4.8      Data  Collection  Conference 

Thought  should  be  given  to  organizing  a  database  data  collection  conference  or 
workshop.  At  such  a  conference  standards  for  data  collection  could  be 
established. 


5 .         Implementation  and  Application 

An  illustration  of  how  databases  can  be  implemented  and  applied  in  an  offshore 
production  organization  is  presented  in  the  following  recent  exercise  by  a 
company  operating  in  the  North  Sea. 

The  company  used  available  database  data  to  prepare  a  number  of  comparative, 
quantitative  risk  assessments  of  planned  activities  on  platforms  in  the  North  Sea 
in  the  United  Kingdom  sector.     Examples  of  these  assessments  include: 

1.  Determination  of  potential  fatal  accident  frequency  rates  for  personnel  in 
the  platform  safe  haven  with  and  without  a  compression  module  installed 
next  to  the  safe  haven. 

2.  Determination  of  potential  fatal  accident  frequencies  for  personnel  in  the 
platform  safe  haven  and  for  divers  with  and  without  subsea  emergency 
shutdown  valves  in  the  platform  pipeline  and  subsea  flowline. 

3.  Determination  of  potential  fatal  accident  frequencies  for  personnel  in  the 
platform  safe  haven  with  two  firewater  pumps  and  with  three  firewater 
pumps . 

The  types  of  data  used  and  sources  consulted  included: 

1.  Leak  frequency  data.     Sources  of  the  data  were: 

(1)  "Update   on  Loss   of  Containment,"   report  prepared  for   the  United 
Kingdom  Department  of  Energy. 

(2)  Equipment  reliability  data  pertaining  to  leak  frequencies  on  (1) 
flanges,   (2)  piping,   (3)  vessels  and,   (4)  rotating  equipment  seals. 

2.  Safety  equipment  reliability  data  for  emergency  shutdown  valves,  gas 
detectors,  fire  pumps,  shutdown  systems,  etc.  Sources  consulted  included: 
(1)  OREDA  data  handbook;  (2)  CCPS  (Center  for  Chemical  Process  Safety) 
data  handbook;  and  (3)  U.S.  nuclear  power  industry  and  military  equipment 
reliability  data  banks. 

Specifically,  the  data  was  used  to  define  frequencies  of  scenarios  that  could 
cause  safe  haven  fatalities.  This  was  accomplished  by  constructing  fault  trees 
to  define  the  combinations  of  various  release  events  and  safety  system  failures 
required  to  generate  the  scenarios. 
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REPORT  OF  WORKING  GROUP  #2 


RISK  MANAGEMENT  PRACTICES 


J.  E.  Vinnem 


1. 


Introduction 


A  Workshop  similar  to  the  present  one  was  sponsored  by  MMS  in  1984,  with  a 
similar  theme,  organization  and  participation.  However,  the  viewpoints  had 
changed  considerably.  In  1984  the  experience  in  the  use  of  risk  management  and 
risk  assessment  was  limited  to  Norway.  In  other  countries  there  was  significant 
opposition  to  similar  practices  at  that  time.  However,  in  1991  a  much  broader 
consensus  on  this  subject  had  developed  across  the  continents. 

Some  of  the  main  emphasis  in  1991  was  therefore  devoted  to  defining  what  was  a 
practical  and  cost  effective  use  of  these  techniques,  rather  than  debating 
whether  they  should  be  used  at  all. 

This  report  describes  the  background  to  the  use  of  risk  management  techniques  and 
summarizes  the  discussions  and  conclusions  reached  during  the  working— group 
sessions . 

The  objective  of  the  working  group  sessions  was  to  provide  an  overview  of  the 
state  of  practice  and  of  the  problem  areas,  and  to  explore  and  discuss  research 
needs  and  opportunities  for  implementation  and  applications. 

The  participants  in  the  working  group  consisted  of  representatives  from  European 
and  U.S.  government  bodies,  oil  companies,  engineering,  consulting  and 
manufacturing  firms,  and  classification  societies. 

The  following  countries  were  represented  in  the  Working  Group: 

-  U.S.:      12  participants 

-  U.K. :        3  participants 

-  Norway:     1  participant 


The  parent  organizations  were: 

-  Government  bodies : 

-  Classification  societies: 

-  Oil  companies: 

-  Engineering  companies : 


5  participants 
2  participants 
7  participants 
1  participant 


-  Safety  equipment  manufacturing:  1  participant 

Working  group  activities  were  organized  by  Dr.  John  M.  Campbell  of  John  M. 
Cambpell  Company,  U.S.A.,  and  Dr.  Jan  Erik  Vinnem  of  SikteC  A/S ,  Norway.  Dr. 
Vinnem  was  responsible  for  the  presentation  of  the  theme  paper  and  with  the 
preparation  of  the  present  report,  which  incorporates  the  material  presented  in 
the  theme  paper. 
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The  table  below  presents  an  overview  of  the  time  table  followed  in  the 
discussions  of  the  working  group. 


Item 

Title 

Day 

Time 

1 . 

Introduction,  Theme  Paper 

Wednesday  March  20 

3 : 15-5 : 15 

2. 

State  of  Practice 

Thursday  March  21 

9:00-10:30 

3. 

Experience,  achievements 

Thursday  March  21 

10:30- 
12:00 

4. 

Problem  areas 

Thursday  March  21 

12:00- 
12:45 
1 A  •  no 

15:00 

5. 

Research  needs 

Thursday  March  21 

15:00- 
16:00 

6. 

Opportunities  for  implementa- 
tion and  application 

Thursday  March  21 

16:00- 
16:45 

7. 

Conclusions,  recommendations 

Thursday  March  21 

16:45- 
17:00 

2  .    State  of  Practice 
2 . 1  Norway 

Systematic  risk  and  environment  management  philosophies  have  been  developed  by 
industries  with  significant  hazard  potential  and  environment  protection  needs  for 
some  decades.  The  development  started  with  industries  such  as  commercial 
aircraft,  aerospace,  chemical  and  petrochemical ,  nuclear,  as  well  as  offshore  oil 
and  gas  industries. 

The  main  principle  of  risk  and  environment  management  is  to  plan,  coordinate  and 
document  all  actions  which  are  carried  out  in  order  to  implement  a  predefined  and 
desired  safety  and  environment  protection  level^. 

Another  illustration  of  the  nature  of  safety  management  is  to  describe  safety  and 
environmental  protection  management  as  a  process .  which  typically  may  be 
illustrated  by  an  ordinary  control  loop,  as  shown  in  Figure  2.1  (from  Ref.  1) . 
The  following  are  the  main  principles  in  the  diagram: 
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Element  1 : 


Element  2 


Element  3 


Element  4: 


Safety  and  environ- 
mental goals  and 
acceptance  criteria 
should  be  formulated 
and  decided  upon. 

Activities  should  be 
defined  and  planned 
to  meet  given  goals 
and  requirements . 

Work  tasks  should  be 
performed  in  ac- 
cordance with  the 
plans,  with  approved 
working  methods  and 
recommended  means  as 
well  as  tools. 

Work  tasks  should  be 
followed  up  through 
suitable  analyses  and 
audits,  and  necessary 
corrective  actions 
should  be  carried  out 
when  deviations  from 
goals,  requirements 
or  plans  are  iden- 
tified. 


Technical/operational 


activities 


Figure  2.1  Safety  control  loop 
illustrating  the  process 
involved  in  safety  manage- 
ment 


Norway  was  the  first  country  to  adopt  an  approach  based  on  risk  and  environment 
management  principles  in  the  regulation  of  the  offshore  oil  and  gas  (upstream) 
industry.  This  occurred  around  1980-81,  and  the  Norwegian  Petroleum  Directorate 
is  the  governmental  body  that  initiated  this  process.  The  United  Kingdom  had 
previously  adopted  basically  the  same  approach  for  the  control  of  the  downstream 
oil  and  gas  industries,  as  well  as  the  chemical  industry,  the  main  regulatory 
body  being  the  U.K.  Health  and  Safety  Executive. 

Later,  a  number  of  other  industries  in  various  countries  have  been  (or  are  in  the 
process  of  being)  subjected  to  the  same  control,  including  the  offshore 
(upstream)  oil  and  gas  production  facilities  in  the  U.K. 

Environment  protection  management  has  not  received  the  same  systematic  treatment, 
except  in  later  years.  This  area  is  given  an  equal  consideration  in  report. 


2.1.1  Implementation  in  Norway 


The  implementation  of  regulatory  control  in  Norway  has  changed  since  the  first 
exploration  and  production  activities  began  in  the  late  1960s  and  early  1970s. 
The  implementation  described  herein  is  limited  to  risk  and  environment  management 
principles . 
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2.1.1.1  General  Policies 


Overall  risk  studies  are  used  for  assessment  of  overall  policies.  To  a  large 
extent  they  have  been  motivated  by  the  occurrence  of  accidents,  the  most 
significant  of  which  being  a  series  of  fatal  helicopter  accidents  (1973-1978) , 
a  blowout  from  a  production  platform  (1977)  with  some  20,000  tons  of  oil  spilled 
in  the  North  Sea,  and  the  capsizing  of  the  semi-submersible  hotel  platform 
'Alexander  L.  Kielland'   in  1980. 

The  objectives  of  these  studies  have  been: 

-  to   gain  in-depth   insight   into  hazard  mechanisms,    especially  for  novel 
concepts  and  systems 

-  to  decide  on  focus  and  priorities  for  general  policy  aspects 
General  policy  making  may  apply  to  areas  such  as: 


—  R&D  for  safety  improvement 

—  training  needs 

—  new  regulations 

—  audits  and  reviews 

2.1.1.2  Overall  Functional  Structure 

Figure  2.2  presents  a  structure  for 
breakdown  of  essential  elements  within 
risk  and  environment  management.  The 
main  levels  are: 

—  Goals  for  the  safety  and  environ- 
ment work 

—  Acceptance  criteria 

—  Specifications 

The  implication  of  the  structure  is 
that  goals  for  safety  (and  environment) 
establish  the  basis  for  definition  of 
more  detailed  requirements. 

Acceptance  criteria  are  developed  from 
goals.  Technical  and  operational 
specifications  are  developed  from 
acceptance  criteria. 

2.1.1.3  Management  Process 


Figure  2.2  Safety  structure  relating 
to  breakdovm  of  goals  and 
criteria 


Management  of  risk  and  environmental  protection  is  often  described  as  a  process . 
Such   a   management   process    shall    tie    in   with   all    operations,    design  work. 
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subcontractors  and  suppliers,  and  shall  fulfil  the  following  functions: 

—  ensure  that  possible  hazards  are  identified  at  the  earliest  possible 
instance 

—  analyze  hazards  to  determine  what  shall  be  the  Design  Accidental  Events 
and  associated  loads 

—  communicate  results  of  risk  assessments  to  designers,  operational 
personnel,  managers  and  all  personnel  affected  by  those  risk  elements 

—  use  results  from  risk  assessments  to  plan  and  implement  emergency  plans, 
and  provide  necessary  equipment  and  external  backup  assistance 

—  implement  operational  experience  and  accident,  incident,  near  miss  and 
failure  data  in  a  planned  effort  to  improve  safety  and  learn  from  past 
experience 

2.1.1.4  Control  of  Operations 

Unlike  the  United  Kingdom,  Norway  has  not  adopted  for  regulatory  purposes  the 
principle  of  third  party  (independent)  control  by  certifying  authorities  (or 
classification  societies) .  The  certifying  authority  operates  on  behalf  of  the 
appropriate  government  authorities ,  which  in  this  manner  take  an  active  role  in 
the  control  of  safety  in  operations  and  systems. 

The  principle  used  in  Norway  for  the  management  of  safety,  environmental  and 
regulatory  bodies  is  somewhat  different,  and  —  it  may  be  argued  —  clearer.  It 
consists  of  using  internal  control  within  the  operator's  organization. 

Internal  control  is  defined  (see  §  2  of  Internal  Control  Regulations)  as: 

"All  systematic  actions  which  the  Licensee  shall  initiate  to  ensure 
that  the  activity  is  planned,  organized,  executed  and  maintained 
according  to  requirements  stipulated  in  or  in  accordance  with  acts 
or  regulations . " 

Internal  control  means  that  the  operator  always  has  the  responsibility  for  the 
operations  and  the  safety  and  environment  protection  during  those  operations. 

2.1.1.5  Technical  and  Operational  Requirements 

The  Norwegian  regulations  have  traditionally  been  rather  extensive,  with  many 
technical  details  prescribed  by  authorities.  However,  since  the  introduction  of 
the  internal  control  principle  there  has  been  a  constant  trend  towards  less 
detailed  regulations . 

The  functional  requirements  shall  further  be  coupled  with  extensive  use  of  risk 
assessments,  to  define  acceptable  hazard  control  in  relation  to  specific 
installations,   systems  and  operations. 
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2.1.1.6  Safety  Goals  and  Acceptance  Criteria 

Formerly,  the  Norwegian  Petroleum  Directorate  issued  acceptance  criteria  for  the 
design  of  new  production  installations^.  The  most  recent  developments  in 
regulation  require  operators  to  set  their  own  long  term  safety  goals,  from  which 
the  acceptance  criteria  shall  be  developed  for  new  installations  and  the 
operation  of  existing  platforms. 

Identification  of  Design  Accidental  Events  (DAE)  shall  be  the  primary  objective 
for  risk  assessments  during  planning  and  design.  The  same  shall  apply  to  risk 
assessments  relating  to  modifications  and  extensions.  In  the  operation  phases  the 
primary  goal  for  risk  assessments  shall  be  the  identification  of  the  most 
critical  risk  elements  that  may  be  candidates  for  further  risk  reduction. 

All  elements  of  risk  shall  as  far  as  possible  be  subjected  to  risk  reduction 
efforts,  either  in  the  form  of  elimination  of  the  hazard,  or  in  the  form  of  risk 
level  reduction,  by  consequence  reduction,  frequency  reduction,  or  both. 

After  all  possible  risk  reduction  measures  have  been  adopted,  estimates  are  made 
of  Residual  Accidental  Events,  that  is,  of  accidental  events  that  violate  the 
acceptance  criteria.  These  frequencies  are  then  compared  with  the  cut— off  limit, 
which  is  10~*/year  per  safety  function  and  for  each  hazard  type.  The  safety 
functions  are  the  following: 

—  Escapeways 

—  Shelter  Area  ("Safe  Haven") 

—  Main  Support  Structure 

—  Control  Functions 

It  should  further  be  noted  that  an  additional  criterion  has  been  added  recently, 
stating  that  Design  Accidental  Events  shall  not  cause  substantial  environmental 
pollution. 

The  overriding  goal  for  all  safety  work  is,  at  a  minlmiom,  to  meet  all  official 
requirements  in  applicable  rules  and  regulations.  This  is  the  tie  between  use  of 
risk  assessments  and  internal  control.  Use  of  risk  assessments  is  hereby  an 
element  of  a  total  internal  control  system. 

The  overriding  official  requirement  is  that  the  safety  level  shall  be  fully 
satisfactory  with  respect  to  personnel,  environment  and  economic  assets.  This  is 
defined  by  NPD'^  as  entailing: 

—  avoidance  of  accidents 

—  minimization  of  risk  at  all  times 

—  continuous   reduction  of  risk   level  by  use   of   technological  means  and 
operational  experience 

Typical  examples  of  safety  goals  may  be  the  following: 
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—  relating  to  serious  accidents:  there  shall  be  a  negligibly  low  probability 
of  Residual  Accidental  Events  over  the  field  lifetime,  for  all 
installations  involved  in  the  production  from  the  field. 

—  the  probability  of  serious  accidents  in  the  form  of  Design  Accidental 
Events  shall  also  be  low  over  the  field  lifetime,  for  all  field 
installations . 

—  personnel  outside  the  immediate  vicinity  of  such  an  accident  shall  not  be 
at  risk,  even  if  emergency  evacuation  is  necessary.  This  will  impose 
special  requirements  for  the  emergency  preparedness  systems. 

In  this  context  oil  pollution  from  accidental  releases  can  be  considered. 
Norwegian  authorities  will  not  accept  that  accidental  release  of  oil  may  give 
rise  to  impact  on  environmental  resources  such  as  fish,  seabirds,  sea  mammals, 
recreation,  aquaculture,  and  so  forth.  Thus  they  require  an  emergency 
preparedness  from  the  offshore  operators  to  tackle  small  and  large  accidental  oil 
spills. 

2.1.2     Concept  Safety  Evaluation 

The  Concept  Safety  Evaluation  (CSE)  was  formally  required  as  of  September  1,  1981 
for  production  installations  on  the  Norwegian  Continental  Shelf.  The  CSE  has  been 
one  of  the  main  'building  blocks'  for  the  use  of  risk  assessments  as  a  risk 
management  tool  in  offshore  operations. 

The  principles  for  CSE  need  to  be  described  in  order  to  appreciate  the  acceptance 
criteria,  in  a  quantitative  as  well  as  a  qualitative  sense.  A  brief  description 
follows  below: 

(1)  The  concept  is  analyzed  in  order  to  identify  possible  accident  scenarios, 
taking  into  account: 

-  possible  initiating  events 

-  possible  failures  of  safety  systems 

-  environmental  conditions 

From  this  analysis,  a  number  of  possible  accidental  events  are  defined. 

(2)  Based  on  evaluation  of  consequences,  the  Design  Accidental  Events  (DAE) 
shall  be  derived  from  amongst  the  possible  accidental  events.  This 
derivation  shall  be  based  on  evaluation  of  quantified  accidental  effects. 

(3)  For  the  DAE  the  installation  concept  shall  be  compared  with  qualitative 
acceptance  criteria  in  order  to  verify  that  the  installation  concept  has 
an  acceptable  safety  level. 

(4)  According  to  the  revised  Guidelines,  each  of  the  RAEs  will  be  evaluated 
carefully  to  determine  if  risk  reducing  measures  can  be  implemented.  Such 
risk  reduction  may  be  either  reduction  of  accidental  effects  or  frequency 
of    occurrence,    or    a   combination   of    the    two.    In   the    first   case  the 
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accidental  event  may  be  transformed  into  a  Design  Accidental  Event,  if 
impairment  of  the  safety  functions  can  be  avoided.  In  the  case  of 
frequency  reduction,  the  event  will  still  be  a  RAE,  but  a  less  critical 
event . 

(5)  Maximum  allowable  frequency  for  RAEs  is  10"'' /year  per  accident  type  and  per 
safety  function.  This  is,  according  to  the  revised  text,  the  last  step  to 
be  taken. 

The  primary  acceptance  criterion  for  personnel  safety  states  that  in  a  design 
accident  situation  the  consequences  shall  be  limited  to  personnel  in  the 
immediate  vicinity  of  the  accident. 

This  general  criterion  has  also  been  spelled  out  into  three  requirements 
concerned  with  the  main  safety  functions: 

(a)  At  least  one  escapeway  from  central  positions  which  may  be  subjected  to  an 
accident  shall  normally  be  intact  for  at  least  one  hour  during  a  DAE. 

(b)  Shelter  areas  shall  be  intact  during  a  calculated  accidental  event  until 
safe  evacuation  is  possible. 

(c)  Depending  on  the  installation  type,  function  and  location,  when  exposed  to 
the  Design  Accidental  Event,  the  main  vessel  structure  must  maintain  its 
load  carrying  capacity  for  a  specified  time. 

2.1.3  Terminology 

The  terminology  used  in  connection  with  these  studies  is  based  on  that  developed 
by  the  Norwegian  Petroleum  Directorate  in  their  Guidelines  for  Concept  Safety 
Evaluation^.  The  terms  listed  below  shall  have  the  following  meaning: 

Accidental  Event  is  an  unwanted  incident  or  condition  which  may  cause  one  or  more 
accidental  effects. 

Accidental  Effect  is  the  result  of  an  accidental  event,  expressed  in  terms  of 
heat  flux,  impact  force  or  energy,  acceleration,  and  so  forth,  which  is  the  basis 
for  the  safety  evaluation. 

Impairment  means  that  the  actual  function  or  object  studied  is  unusable  for  its 
purpose  (e.g.  escapeways  filled  with  heavy  smoke). 

Shelter  Area  is  an  area  on  or  outside  it  (adjacent  platform  or  bridge)  where  the 
crew  will  remain  safe  for  a  specific  period  of  time  in  an  emergency  situation. 

Design  Accidental  Event  (DAE)  is  an  event  that  the  platform  should  be  designed 
to  sustain. 

Residual  Accidental  Event  (RAE)  is  an  event  that  the  platform  is  not  assumed  cap- 
able of  sustaining. 

Vulnerability    is   used   as    a   measure    for    the   extent    to   which   an   object  is 
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susceptible  to  impairment  by  relevant  external  loads. 


Acceptance  criteria  are  functional  requirements  which  are  concerned  with  the 
platform's  resistance  against  accidental  effects,  aimed  at  definition  of  the 
authority's  view  on  acceptable  safety  level. 

Safety  Goals .  Concrete  targets  against  which  the  operations  of  installations  at 
the  field  are  measured  with  respect  to  safety.  These  targets  shall  contribute  to 
avoidance  of  accidents  or  resistance  against  accidental  consequences. 

Acceptance  criteria.  Distinctive,  normative  formulations  against  which  the 
results  of  a  risk  assessment  may  be  compared.  The  criteria  shall  in  a  short  term 
perspective  express  the  implementation  of  the  safety  goals. 

Personnel  Safety.  Safety  for  all  personnel  involved  in  the  operation  of  a  field. 

Environment  Safety.  Safety  relating  to  protection  of  the  environment  from 
accidental  spills  which  may  cause  damage. 

Material  Damage  Safety.  Safety  of  the  installation,  its  structure  and  equipment 
relating  to  accidental  consequences  in  terms  of  production  delay  and 
reconstruction  of  equipment  and  structures. 

Escape .  Actions  by  personnel  on  board  surface  installations  (as  well  as  those  by 
divers)  taken  to  avoid  the  area  of  accident  origin  and  accident  consequences  to 
reach  an  area  where  they  may  remain  in  shelter. 

Evacuation.  Abandonment  of  the  platform  from  sheltered  areas  by  the  dedicated 
evacuation  means.  Emergency  evacuation  is  normally  the  main  consideration,  as 
precautionary  evacuation  is  less  demanding  on  the  evacuation  resources. 

2.1.4  Other  Risk  and  Reliability  Studies 

Risk  and  reliability  studies  (other  than  the  CSE)  shall  be  used  actively  to 
develop  specific  specifications,  design  loads,  design  scenarios,  and  explore 
residual  risk,  to  be  compared  with  acceptance  criteria.  This  is  the  breakdown  in 
practice  of  safety  goals  and  acceptance  criteria  into  specifications. 

The  use  of  risk  and  reliability  studies  shall  replace  the  detailed  technical 
specifications  formerly  stipulated  by  authorities,  and  shall  secure  a  more 
flexible  and  cost  effective  achievement  of  an  acceptable  safety  standard. 

One  of  the  means  to  implement  specific  safety  and  reliability  requirements  is  by 
means  of  Design  Accidental  Loads,  associated  with  Design  Accidental  Events.  These 
conditions  specify  which  accidental  conditions  shall  form  the  design  basis  for 
different  components  and  structures.  This  may  for  instance  apply  to  the  extent 
of  fire  loads  from  pool  fires,  impact  loads  from  falling  objects  or  ship 
collisions . 

2.1.5  New  Regulations 

The  use  of  Probabilistic  Risk  Assessments   (PRAs)   in  the  offshore  oil  and  gas 
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industry  is  likely  to  be  rapidly  expanding  over  the  next  few  years.  This 
technique  has  been  successfully  applied  in  the  Norwegian  sector  of  the  North  Sea 
for  a  decade.  The  expansion  of  this  application  is  imminent;  for  instance  new 
British  regulations  are  being  developed  as  a  result  of  the  Piper  Alpha  accident. 

Other  countries  are  also  seen  to  be  more  interested  in  PRAs  than  was  the  case 
some  time  ago,  for  instance  the  United  States  and  countries  in  South-East  Asia. 

Such  a  development  will  mean  that  the  tools  will  need  a  wider  application  and 
recognition.  Philosophies,  techniques  and  data  need  to  be  consistent  and  well 
developed.  This  will  require  development  of  models,  data  bases  and  practical 
tools,  in  order  to  fulfill  the  operator's  needs  to  establish  viable  techniques, 
acceptable  to  management,  government  authorities,  and  the  public.  The  scope  of 
such  studies  will  cover  personnel,  environmental,   and  material  damage  safety. 

The  results  should  be  communicated  to  designers,  operational  personnel,  managers 
and  all  personnel  affected  by  those  risk  elements.  The  results  of  risk 
assessments  shall  be  used  to  plan  and  implement  emergency  plans,  provide 
necessary  equipment,  and  provide  external  backup  assistance.  Operational 
experience  and  accident,  incident,  near  miss  and  failure  data  should  be 
implemented  in  a  planned  effort  to  improve  safety  and  learn  from  past  experience. 

Similarly,  the  requirements  in  the  United  Kingdom  are  expected  to  be  roughly  the 
same  as  in  Norway.  The  emphasis  will  be  placed  on  active  use  of  risk  assessment 
in  the  design  process  and  in  the  operations  phase.  Further,  risk  to  the 
environment  is  a  focal  point,  in  addition  to  economical  risk  aspects.  Economical 
aspects  of  risk  as  well  as  environmental  spill  risk  are  likely  to  be  the  most 
important  in  the  United  States. 

The  trend  that  these  new  regulations  are  expected  to  bring  about  (according  to 
Ref .   3)  can  be  characterized  by  the  following: 

—  The  scope  of  such  assessments  will  be  increased  considerably,  from  the 
present  limitation  to  development  of  new  producing  installations. 
Requirements  to  carry  out  these  studies  are  in  the  future  expected  to 
apply  to  all  offshore  activities,  from  the  exploration  activities,  through 
production  platform  design  and  installation,  and  during  the  production 
phase,  until  it  ends  in  platform  removal. 

—  Offshore  operating  companies  will  be  expected  to  develop  their  own  set  of 
safety  goals  and  acceptance  criteria.  These  would  be  replacing  the  widely 
known,  single  value  criterion  lO"''  per  year,  which  is  not  expected  to  play 
the  same  key  role  as  it  has  so  far.  This  apparently  recognizes  that  a 
single  valued  criterion  cannot  cover  all  foreseeable  situations. 

—  There  is  in  parallel  with  the  development  of  risk  assessment  regulations 
also  an  internal  process  to  simplify  the  technical  regulations 
considerably,  and  to  remove  as  many  of  the  specific  detailed  requirements 
as  possible.  This  implies  that  distinct  technical  requirements  which  have 
been  very  detailed  and  voluminous  up  until  now  shall  be  replaced  by  more 
functional  and  shorter  technical  regulations. 
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This  implies  in  practice  that  a  requirement  for  a  lifeboat  seat  capacity 
of  200%  of  the  number  of  beds  on  the  platform  will  be  replaced  by  a 
functional  requirement  to  provide  such  a  capacity  as  may  be  required  to 
secure  safe  evacuation  in  all  Design  Accidental  Events. 

The  government  authority  requirements  are  expected  to  focus  primarily  on  safety 
of  personnel,  whereas  safety  against  environmental  spill  and  safety  protection 
of  the  investment  will  be  given  less  consideration. 

The  new  regulation  specifies  the  following  risk  reducing  measures  for  each  DAE: 

a)  personnel  outside  immediate  vicinity  are  not  injured 

b)  evacuation  in  a  safe  and  organized  manner 

c)  personnel  can  remain  safely  until  safe  evacuation  is  expected 

d)  control  rooms/other  areas  of  importance  remain  operative  until  safe 
evacuation  is  expected 

e)  external  assistance  received/carried  out  effectively 

f)  environmental  damage  is  avoided 

The  following  were  the  DAE  requirements  in  the  1981  Guidelines: 

•  personnel  outside  immediate  vicinity  not  injured 

•  safe  evacuation  shall  be  possible 

•  remain  safely  in  shelter  area 

•  control  room  in  safe  area 

•  external  assistance  after  four  hours 

•  integrity  of  support  structure 

The  practice  inherent  in  the  new  regulations  is  nothing  more  than  what  companies 
like  Conoco  Norway  Inc. ,  Norsk  Hydro,  Saga  Petroleum,  Shell  and  Statoil  have  been 
doing  for  the  last  few  years  on  the  Norwegian  Continental  Shelf. 

2.1.6     Design  Tools 

A  brief  example  may  illustrate  the  use  of  Risk  Assessments  in  the  design  process. 
The  following  is  a  presentation  of  the  basis  for  selection  of  ESD  versus  PSD 
valves,  based  on  fire  risk  assessment. 

2.1.6.1  Fire  Integrity 

All  fire  partitions  (either  as  physical  partition  or  as  distance)  between  two 
separate  fire  areas  will  have  to  be  designed  to  maintain  their  integrity  under 
the  design  fire  loads  for  the  areas. 

2.1.6.2  Assessment  of  Design  Fire  Load 

A  fire  load  assessment  for  a  closed  module  will  have  to  reflect  limitations  to 
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oxygen  supply  due  to  capacities  and  characteristics  of  a  mechanical  ventilation 
system.  On  the  other  hand  a  potential  initiating  explosion  may  open  up  module 
walls  and  give  additional  air  supply. 

In  the  case  of  significant  explosion  overpressure  additional  air  supply  may  also 
be  created  for  semi— enclosed  modules.  This  will  also  have  to  be  taken  into 
consideration.  Explosions  may  also  lead  to  secondary  ruptures  of  other  process 
systems,  and  the  combined  effect  of  leaks  from  different  systems  may  then  have 
to  be  accounted  for. 

The  detailed  premises  and  assumptions  which  should  be  used  for  liquid  as  well  as 
gas  fires  are  outlined  below.  These  apply  to  the  contents  of  pressure  vessels  and 
associated  piping. 

2.1.6.3  Liquid  Fire 

The  design  fire  loads  in  a  case  of  a  pool  fire  should  be  assessed  based  upon  the 
following  premises: 

-  The  maximum  contents  of  hydrocarbon  which  can  exist  within  a  process 
section 

-  The  cross  sectional  area  of  the  leak  should  be  a  high  value  implying  that 
the  leaking  rate  of  the  hydrocarbon  is  high.  This  means  that  the  duration 
of  the  pool  fire  will  be  significantly  longer  than  the  duration  of  the 
leak. 

-  A  realistic  assessment  should  be  performed  of  the  area  on  to  which  the 
leak  is  spilt.  This  implies  that  the  position  of  possible  leaks  will  have 
to  be  assessed  in  relation  to  obstructions  such  as  drip  pans.  The 
capacity  of  drip  pans  as  well  as  the  location  will  have  to  be  considered. 
Possible  grated  floors  will  also  be  taken  into  account. 

-  The  regression  rate  (rate  of  combustion  expressed  as  height  of  liquid  film 
burning  per  time  and  area  unit)  will  have  to  be  realistically  assessed 
according  to  the  relevant  type  of  hydrocarbon  liquid. 

-  The  duration  should  be  assessed  without  consideration  of  drain  systems. 

-  Possible  ventilation  shut-down  in  the  case  of  fire  detection  should  be 
considered  for  closed  modules. 

2.1.6.4  Gas  Fire  •  ^ 

The  design  accidental  loads  for  gas  fires  should  be  assessed  based  on  the 
following  premises: 

-  The  amount  of  gas  leaking  will  take  the  volume  between  isolating  valves 
into  account. 

-  The  duration  of  gas  jet  fire  is  strongly  dependent  on  the  mass  flux,  which 
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again  is  determined  by  the  cross  sectional  area  of  the  leak.  A  large  hole 
implies  a  high  mass  flux  and  a  short  duration.  The  design  case  should  be 
a  relatively  small  cross  sectional  area  which  gives  the  significant 
duration.  The  realistic  leak  area  must  be  related  to  the  dimensions  used 
in  the  area. 

-  The  calculation  of  volumes  will  have  to  consider  the  time  required  to 
activate  pressure  relief  systems  according  to  available  systems  and 
relevant  procedures . 

-  A  fire  jet  may  expose  equipment  in  any  direction  and  all  systems  within  a 
fire  area  must  be  considered  as  potentially  exposed. 

2.1.6.5  Fire  Areas 

A  fire  area  is  often  enclosed  by  passive  fire  partitions  in  order  to  limit  the 
systems  that  may  be  exposed  to  fire  loads.  The  design  fire  loads  will  be  the 
basis  for  establishing  the  capacity  required  for  the  fire  partitions. 

A  fire  area  may  also  be  segregated  by  distance  alone,  without  any  fire 
partitions.  This  implies  that  the  distance  must  allow  the  design  fire  to  burn 
without  exposing  the  surroundings  to  excessive  fire  loads. 

2.1.6.6  Availability  Requirements 

The  availability  requirements  in  this  section  apply  to  the  need  to  isolate 
process  sections  in  the  event  of  a  fire,  in  order  to  limit  the  fire  loads.  The 
considerations  discussed  here  apply  to  the  isolation  function,  and  not  the 
process  control  systems. 

Availability  of  the  isolation  function  implies  in  the  present  context  that  the 
following  requirements  must  be  satisfied: 

-  The  valve  must  close  on  demand  as  intended  without  failure 

-  The  valve  must  initially  be  tight  in  both  directions ,  and  must  continue  to 
isolate  completely,  even  if  a  high  pressure  gradient  across  the  valve 
exists , 

The  selection  of  PSD  or  ESD  valves  is  dependent  on  these  two  factors,  in  order 
to  prevent  fire  escalation.  High  reliability  of  the  isolating  function  may  be 
achieved  by: 

-  a  PSD  valve,  if  process  shutdown  is  initiated  as  part  of  the  process 
safety  function,  and  the  activation  system  has  a  high  reliability 

-  an  ESD  valve,  if  the  valve  or  its  activation  appliances  may  be  subjected 
to  the  same  fire  as  the  valve  shall  isolate  against 

This  evaluation  assvimes  that  an  ESD  valve  has  a  higher  level  of  protection 
against  leaks  through  the  valve,  in  the  case  of  a  fire  load  impinging  on  the 
valve  or  its  controls. 
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2.1.7    Areas  of  Special  Concern 


2.1.7.1  Burning  Blowouts 

Burning  blowouts  are  often  seen  to  be  the  main  cause  of  impairment  of  the 
platform  and  of  fatalities  in  the  case  of  large  platforms.  Only  limited 
improvement  has  taken  place  over  the  last  years  with  respect  to  the  frequency  of 
occurrence  of  blowouts. 

2.1.7.2  Gas  Riser  Leaks 

The  gas  riser  leak  with  possible  escalating  fires  and  explosions  has  been 
considered  with  great  attention  since  the  Piper  Alpha  accident.  The  scenario  can 
indeed  be  a  devastating  escalation  of  an  accident  into  something  similar  as  a 
blowout.  However,  with  the  use  of  subsea  barriers,  risk  reduction  is  suddenly 
possible.  A  number  of  platforms  have  had  subsea  barrier  valves  installed  during 
the  last  few  years.  Application  of  such  barriers  calls  for  detailed  studies  of 
possible  merits  and  optimization  of  the  installation. 

2.1.7.3  Collision  by  Merchant  Vessels 

A  possible  major  collision  by  a  passing  merchant  vessel  is  among  the  main  hazards 
in  the  North  Sea,  where  no  traffic  lanes  are  defined  to  keep  the  traffic  well 
clear  of  the  platforms. 

2.1.7.4  Escape  and  Evacuation 

Escapeways  may  often  need  special  protection  to  allow  access  to  shelter  areas  or 
evacuation  means  in  case  of  severe  fire  and  explosion. 

Evacuation  by  conventional  davit  launched  lifeboats  has  often  been  proven 
difficult  due  to  complicated  launching  procedure  especially  in  bad  weather 
conditions.  The  so-called  free  fall  lifeboat  concept  has  gained  much  credibility 
in  the  North  Sea,  as  it  is  independent  of  weather  conditions  as  far  as  the 
probability  of  successful  launching  is  concerned. 

2.1.7.5  Novel  Production  Systems  / 

Novel  production  systems  are  particularly  difficult  to  assess  owing  to  the 
limited  experience  with  their  operation  and  the  lack  of  pertinent  quantitative 
as  well  as  qualitative  data. 

2.1.8    Assessment  of  Old  Installations 

Following  the  Piper  Alpha  accident  all  operating  companies  on  the  Norwegian 
Continental  Shelf  have  been  required  to  update  their  safety  studies  of 
installations  performed  in  the  past,  and  safety  studies  have  been  required  for 
installations  for  which  such  studies  had  not  been  performed.  The  objective  of  the 
studies  are  aimed  at  assessing  the  risk  of  occurrence  of  accidents  of  the  Piper 
Alpha  type.  Risk  reducing  measures  have  to  be  applied  if  this  risk  is  shown  to 
be  significant.  This  has  required  a  great  deal  of  attention  to  the  oldest 
platforms  on  the  Norwegian  Continental  Shelf. 
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2.2    United  Kingdom 


The  following  is  a  brief  summary  of  the  Cullen  recommendations  with  respect  to 
safety  management: 

The  'Safety  Case'  requirement  is  a  major  change  in  U.K.  offshore  risk  management 
philosophy.  Although  many  aspects  will  differ  from  those  in  the  current  Norwegian 
regulatory  regim,  the  new  U.K.  and  Norwegian  regulatory  systems  will  be  much  more 
alike  in  the  future. 

The  main  feature  of  this  requirement  is  that  the  approval  of  safety  is  based  on 
dedicated  assessment  of  the  specific  conditions  on  each  installation.  This  is  in 
sharp  contrast  to  a  philosophy  where  the  approval  is  entirely  based  on  whether 
the  installation  and  its  equipment  meet  standards  defined  in  regulations, 
guidelines  and  common  practice. 

Further,  the  safety  requirements  will  be  functional .  rather  than  consisting  of 
specifications  of  detailed  technical  solutions. 

The  Safety  Case  should  be  made  for  all  installations,  both  on  existing  and  future 
platforms.  The  Safety  Case  should  further  be  updated  regularly.  The  objective  of 
the  proposed  Safety  Case  is  to  demonstrate  that  safety  protection  objectives  have 
been  satisfied,  including: 

(i)  that  the  entire  safety  management  system  of  the  company  is  adequate 
to  ensure  that  the  design  and  the  operation  of  the  installation  and 
its  equipment  are  safe 

(ii)  that  the  potential  major  hazards  of  the  installation  and  the  risks  to 
personnel  have  been  identified  as  a  means  to  identify  the  appropriate 
risk  control  measures  which  need  to  be  provided 

(iii)  that,   in  a  major  emergency,   adequate  provisions  are  made  for: 

—  Temporary  Safe  Refuge  (TSR)  for  personnel  on  the  installation 

—  Safe  and  full  evacuation,  escape  and  rescue 

It  is  recommended  that  the  safety  objectives  are  specified  in  the  Safety 
Management  System  (SMS).  Further,  the  SMS  should  include  a  quantified  risk 
assessment,  a  fire  risk  analysis  and  an  evacuation,  escape  and  rescue  analysis. 

Further,  regular  audits  are  recommended,  to  be  performed  internally  by  the 
operator  in  accordance  with  the  SMS,   and  by  the  regulatory  body. 

2 . 3    United  States 

Risk  assessment  and  risk  management  techniques  are  just  beginning  to  be  used 
within  the  U.S.  offshore  industry.  One  of  the  main  applications  of  such 
techniques  in  the  recent  past  was  the  MCAPS  project  (Methodology  for  Comparison 
of  Alternate  Platform  Systems) ,  which  in  a  full  scope  reliability  analysis 
framework  assessed  possible  methods  for  lifecycle  cost  analysis.  These  methods 
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considered  economical  risk,  availability  of  production,  personnel  risk,  and 
environmental  spill  risk.  In  particular,  the  project  looked  into  the  comparison 
of  platform  concepts  and  systems  given  prevailing  uncertainties. 

The  extension  of  the  U.S.  offshore  industry  into  deeper  waters  has  been  one  of 
the  main  driving  forces  behind  the  use  of  risk  assessment  techniques.  Many  of  the 
U.S.  oil  companies  had  gained  experience  in  the  use  of  such  techniques  from  the 
European  offshore  industry. 

3 .     Experience  and  Achievements 

Experience  in  using  Risk  Management  principles  are  illustrated  by  discussing  the 
risk  management  process  adopted  in  a  recent  development  project  on  the  Norwegian 
Continental  Shelf. 

3 . 1     Case  Study 

The  use  of  formal  risk  assessments  as  a  tool  for  evaluation  and  optimization  of 
safety  protection  in  the  North  Sea  is  illustrated  by  means  of  a  case  study,  based 
on  risk  assessments  performed  by  SikteC  for  Statoil  in  connection  with  the 
development  of  the  Veslefrikk  project.  This  project  started  in  early  1986  and  has 
resulted  in  a  novel  production  concept.  On  account  of  the  novelty  of  the  desigtn 
concept  the  project  has  been  studied  carefully,  formal  risk  assessments  being 
used  with  respect  to  safety  for  personnel  and  for  the  installation  itself. 

The  paper  will  draw  upon  the  results  and  conclusions  of  the  studies  to  make 
observations  for  general  use.  The  way  these  studies  have  been  utilized  by  the 
engineering  contractors  is  also  reviewed.  The  studies  of  the  Veslefrikk 
installations  have  been  carried  out  as  quantitative  risk  assessments,  and  the 
applicability  of  such  studies  for  offshore  platforms  is  discussed.  Conclusions 
from  the  risk  management  process  are  discussed  in  a  general  context. 
Possibilities  for  continuation  of  the  risk  management  process  into  the 
operational  phase  are  also  outlined. 

3.1.1  Introduction 

Legislation  in  Norway  has  required  quantitative  risk  assessments  since  1981  as 
part  of  the  risk  control  process  of  offshore  operations.  Many  safety 
professionals  feel  that  considerable  improveents  have  been  made  in  the  last  ten 
years . 

The  use  of  safety  evaluations  in  the  Norwegian  offshore  industry  was  typically 
based  on  the  use  of  Probabilistic  Risk  Assessments  for  the  nuclear  industry*. 
Some  companies  had  explored  the  possibility  of  using  this  approach  on  offshore 
platforms  in  the  late  1970's.  A  significant  step  forward  was  taken  by  the  Safety 
Offshore  research  program,  initiated  by  the  government  and  jointly  sponsored  by 
the  offshore  industry  in  response  to  the  Norwegian  Shelf  Ekkofisk  Bravo  blowout 
during  a  well  workover  in  1977.  ■  " 

Recent  offshore  accidents  in  the  North  Sea  have  focused  attention  on  the 
potential  for  fire  and  explosions.  Design  of  fire  control  systems  on  offshore 
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platform  has  traditionally  been  based  on  regulations,  standards  as  well  as  good 
engineering  practice.  Considerable  conservatism  is  often  built  into  this 
approach,  and  large  protective  systems  are  often  seen,  with  significant  cost 
impact.  Tools  for  optimization  of  the  design  have  been  lacking  until  recently, 
and  are  not  used  to  any  significant  extent.  Use  of  probabilistic  risk  assessment 
methodology  has  recently  been  extended  to  consider  optimization  of  safety  design. 
The  Veslefrikk  development  includes  several  examples  where  such  optimization  took 
place. 


3.1.2  Description  of  the  Veslefrikk  Field 


The  Veslefrikk  field  is  located  in  the  Norwegian  sector  of  the  North  Sea  in  the 
Northern  region.  The  water  depth  is  175  meters.  The  field  produces  oil  and  gas 
at  an  approximate  flowrate  of  10,000  1.0  m^  per  day.  The  Veslefrikk  installations 
consist  of: 


—  a  Wellhead  and  Drilling  platform,  supported  by  a  steel  jacket  structure 
(deck  size  30  by  40  meters) 

—  a  pre— installed  template  at  the  seabed,  allowing  production  wells  to  be 
pre-drilled  before  installation  of  the  jacket 

—  a  semi-submersible  platform  (third  generation)  converted  from  drilling 
mode  to  production,  utilities,  drilling  support  and  accommodation  (deck 
size  80  by  80  meters) 

—  a  telescopic  aluminium  bridge  for  connecting  the  platforms  at  an 
operational  distance  of  38  meters 

—  flexible  hoses  for  production  flow,  export  of  crude  oil  and  gas,  and  all 
connections  required  for  supporting  of  the  drilling  and  production  systems 

3.1.3    Safety  Features 

The  Veslefrikk  platforms  have  many  unique  safety  features ,  some  of  which 
contribute  considerably  to  making  the  two  platforms  a  safe  installation.  The  main 
safety  features  can  be  summarized  as: 

—  The  bridge  connection  as  a  way  to  escape  from  an  accident  over  to  the  next 
platform 

—  Structural  safety  of  a  third  generation  semi— submersible  platform 

—  Evacuation  philosophy  based  on  use  of  the  bridge  as  the  primary  means, 
prior  to  deployment  of  conventional  lifeboats 

—  Optimized  combination  of  active  and  passive  fire  protection 

—  Use  of  a  single  line,  high  integrity  diverter  for  handling  of  possible 
shallow  gas  blowouts 

—  The  Veslefrikk  field  has  a  limited  blowout  flowrate  potential,  owing  to 
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limited  reservoir  pressure,  which  decreases  as  the  field  is  produced. 
3.1.4  Safety  Evaluations  During  Engineering  and  Fabrication 

3.1.4.1  Overview 

A  typical  schedule  of  risk  assessment  studies  during  engineering  and  fabrication 
phases  may  look  as  follows: 

Concept  selection: 

-  Comparative  safety  evaluation  of  alternate  concepts  is  often  the  first 
step,   intended  to  provide  insight  for  selection  of  the  optimum  concept. 

-  First  coarse  Concept  Safety  Evaluations  (CSE) . 
Engineering: 

-  Several  more  refined  stages  of  Concept  Safety  Evaluations  (CSE) .  The 
hazards  covered  in  these  studies  are  blowouts,  riser/pipeline  failures, 
process  system  leaks,  collisions,  and  structural  and  marine  related 
failures,  as  shown  in  Figure  2.3. 

-  Limited  design  accidental  load  studies,  reliability/availability  studies 
of  safety  system  design,  and  so  forth,  to  clarify  detailed  solutions,  and 
evaluate  whether  premises  from  earlier  studies  have  been  implemented  in 
practice . 

-  Emergency  Evacuation  studies  to  assess  the  expected  success  rate  of  the 
evacuation  system  and  procedures,  in  order  to  optimize  the  emergency 
evacuation  system. 

-  Collision  risk  studies  to  determine  what  (if  any)  risk  reduction  measures 
may  be  required,   in  order  to  control  this  aspect  of  risk. 

-  Total  Risk  Analysis  (TRA)  at  completion  of  engineering  design  work,  to 
document  the  fatality  risk  level,  and  provide  basis  for  specification  of 
requirements  to  operational  procedures. 

Fabrication: 

-  Updated  studies  concerned  with  design  changes  that  are  performed  during 
fabrication  and  construction 

-  Updated  studies  concerned  with  revisions  made  to  procedures  for  operation 
or  emergency  preparedness. 

3.1.4.2  Risk  Quantification  ' 

Figure  2.3  presents  a  typical  risk  level  graph  for  a  fixed  offshore  production 
platform.  The  frequencies  shown  in  the  figure  are  for  Residual  Accidental  Events, 
which,  according  to  Guidelines  by  the  Norwegian  Petroleum  Directorate^,  are  acc- 
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idental  events  of 
such  severity  that 
at  least  one  safety 
function  is 
impaired,  the  safety 
functions  being: 

-  Escapeways 

-  Shelter  Area 

-  Support 
Structure 

The  contributions  to 
the  risk  level  in 
Figure  2 . 3  are 
structured  according 
to  NPD  Safety 
Evaluation 
Guidelines^,  where 
the  major  subdivi- 
sion is  in  two  cate- 
gories associated  with  fire  and  explosion  and  the  second  category  associated  with 
structural  impact. 

The  blowout  category  is  often  seen  to  be  the  highest  contribution  to  platform 
risk.  Fires  and  explosions  in  process  areas  and/or  collision  against  platform 
will  often  belong  to  the  second  highest  category.  Evaluation  of  accidental  con- 
sequences following  a  hydrocarbon  leak  in  the  processing  areas  is  therefore 
important.  This  is  often  performed  by  means  of  an  event  tree  analysis  which 
takes  safety  systems  and  protective  measures  into  account. 

The  terminal  events  from  an  event  tree  following  a  hydrocarbon  leak  can  be 
collected  in  three  different  groups,  one  of  which  is  the  unignited  events .  while 
the  two  others  are  ignited  events  with  short  or  extended  duration.  Short  duration 
implies  that  the  ESD  system  works ,  while  extended  duration  occurs  when  the  ESD 
system  or  valves,  or  the  shut-off  valves,  malfunction,  so  that  a  larger  volume 
may  leak. 

A  fatality  risk  picture  is  presented  in  Figure  2.4. 

Figure  2.5  presents  a  typical  event  tree  for  a  hydrocarbon  leak. 

3.1.4.3    Selection    of  Design  Accidental  Events 

Accidental  Events  may  be  classified  into  three  categories: 

-  Events  that  normal  safety  systems  can  control  (these  belong  to  the  group 
of  Design  Accidental  Events) 
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RAE  frequency  per  platform  year 
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Figure  2.3    RAE  Frequencies  for  Fixed  Production  Platform. 
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-  Events  which  initially  belong  to  the  group  of  Residual  Accidental  Events, 
on  account  of  the  severe  accidental  consequences.  However,  if  the  fre- 
quency of  occurrence  is  sufficiently  low,  these  events  will  not  increase 
the  residual  risk  level  dramatically,  and  they  may  not  need  to  be 
transferred  to  the  group  of  Design  Accidental  Events 

The  accidental  events  on  a  platform  can  therefore  be  considered  with  respect  to 
frequency,  in  order  to  define  the  design  fires.  All  events  which,  when  summed 
together,  have  a  frequency  below  10~*  per  year  may  be  disregarded.  Typically, 
small/moderate  ignited  gas  leaks  (up  to  5  kg/sec  of  leak  rate)  have  frequencies 
higher  than  10~*  per  year.  More  extensive  leaks  (above  5  kg/sec)  have  been  found 
to  have  such  low  probability  that  they  could  be  disregarded. 


For  the  sake  of  conservatism  large  liquid  leaks  are  selected  as  design  fire  con- 
ditions for  all  liquid  leaks,  even  though  in  some  cases  they  could  have  been  dis- 
regarded on  the  basis  of  frequency. 

Typical  design  accidental  loads  are  radiation  levels  (e.g.,  50  kW/m^)  for 
equipment  and  structures,  with  a  given  fire  duration. 

3.1.5     Safety  Evaluations  During  Field  Operations 

Safety  evaluations  during  platform  operation  consists  of  the  following 
activities: 

-  Updating  of  safety  evaluations  to  keep  up  with  the  modifications  which  are 
implemented 

-  Separate  safety  studies  of  significant  modifications  which  are  carried  out 
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-  Safety  evaluations  of  significant  changes  to  operational  premises  that  are 
implemented 

A  systematic  approach  to  follow  up  on  analytical  premises  and  operational 
assumptions  is  sometimes  implemented.  This  may  be  carried  out  in  a  database 
format,  which  may  allow  searching  and  retrieval  of  information. 

Another  approach  that  may  be  implemented  in  the  future  is  the  utilization  of 
expert  systems,  where  platform  operation  and  risk  modelling  are  integrated,  to 
obtain  advice  on  how  to  operate  the  platform  most  efficiently  and  safely. 

3.1.6    Use  of  Quantitative  Risk  Assessments 

The  use  of  quantitative  risk  assessment  studies  was  often  viewed  rather 
critically  at  the  beginning  of  the  1980' s,  when  this  was  a  new  exercise.  Some  of 
the  main  aspects  that  were  viewed  as  negative  at  the  time  were: 

-  lack  of  frequency  data,  based  on  relevant  operational  experience 

-  lack   of   risk   assessment   expertise   combined  with  technical/operational 
expertise 

-  studies   which  produced  absolute   risk   estimates    that  were   useless  for 
practical  design  purposes 

While  some  of  these  points  may  have  been  difficult  to  solve  satisfactorily  in  the 
first  few  years  in  the  late  1970 's  and  early  1980' s,  today  more  practitioners 
believe  that  the  safety  evaluations  are  useful  in  the  search  for  optimum  safety 
on  offshore  platforms.  Justifications  for  this  belief  lie  in: 

-  The  use  of  quantitative  risk  estimates  primarily  in  a  relative  sense 

-  The  interest  in  extracting  from  the  studies  design  accidental  premises  and 
loads 


-  The  development  of  Design  loads  based  on  consequence  analyses,  related  to 
dimensions  and  durations  of  fire,  impact  loads  in  collisions,  and  so  forth 

-  The  emphasis  placed  on  technical  details  and  design-related  aspects  in 
reliability  and  risk  studies,  in  contrast  to  the  overall  coarse  (more  or 
less  generic)  studies  being  conducted  in  earlier  years 

-  The  possibility  to  follow  up  on  premises  and  assumptions  from  an 
operational  and  procedural  point  of  view 

-  The  finding  that  the  main  benefits  of  the  studies  is  the  risk  analysis 
process,  rather  than  the  analytical  results 

-  The  fact  that  the  experience  data  base  has  improved  significantly  over  the 
years . 
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3.1.7     Overview  Safety  Studies 


A  number  of  studies  and  assessments  were  performed  during  the  Veslefrikk 
development  project.  These  included  such  aspects  as: 

—  Vulnerability  of  the  bridge  connection 

—  Vulnerability  of  the  catenary  flexible  hoses 

—  Structural  safety  of  a  floating  platform 

—  Evacuation  philosophy  using  a  conventional  lifeboat  concept 

—  Collision  hazard  between  a  floating  and  a  fixed  structure 

—  Use  of  active  and  passive  fire  protection 

—  Use  of  a  single  line,  high  integrity  diverter 

—  Use  of  subsea  barriers  on  pipelines 

The  reason  why  such  studies  have  been  carried  out  is  twofold: 

—  Being  novel,  the  design  concept  was  studied  in  depth  to  make  sure  that  no 
hazards  were  overlooked  or  forgotten 

—  Risk  assessment  studies  were  used  repeatedly  to  optimize  the  safety 
protective  design. 

3.1.8    Results  and  Conclusions 

—  The  safety  level  assessed  for  Veslefrikk  is  better  than  for  most  other 
recent,   comparable  installations  in  the  North  Sea 

—  The  field  development  concept  has  been  proven  to  be  cost  effective,  and  to 
entail  a  favorably  low  risk  level 

—  More  specifically,  the  blowout  risk  is  low  compared  with  that  shown  for 
other  similar  developments,  mainly  owing  to  the  extent  of  predrilling. 
Also  other  risk  factors,  such  as  fire  and  explosion  due  to  riser  leaks  and 
leaks  from  process  equipment,  are  low  owing  to  good  ventilation  and  the 
possibility  to  separate  functions  on  two  structures 

—  The  use  of  flexible  hoses  between  the  fixed  and  floating  platform  for 
transfer  of  gas  and  oil  does  not  increase  risk,  given  the  possibilities 
for  isolation,  and  the  consequent  limited  amounts  of  hydrocarbon  in  case 
of  a  leak  from  one  of  these  lines 

—  The  main  features  with  respect  to  safety  are  the  bridge  connection  between 
the  platforms,  the  modern  semi-submersible  platform  with  many  special 
safety  features,  the  separation  of  areas,  and  the  existence  of  an  open 
process  area  which  prevents  escalation  of  accidental  effects 

—  The  use  a  bridge  connection  as  the  primary  evacuation  means  for  personnel 
makes  up  for  the  use  of  conventionally  launched,  covered  lifeboats 
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-  Safety  studies  have  contributed  to  an  optimization  of  the  safety 
protection,  in  the  sense  that  detailed  studies  of  accidental  scenarios  has 
shown  that  the  protection  could  be  simplified,  without  reducing  the 
protective  characteristics 

-  A  specific  accidental  load  study  was  used  to  justify  the  proposition  that 
functional  properties  for  a  separating  deck  were  satisfied  given  the 
actual  loads,  even  though  detailed  specifications  could  not  be  adhered  to 

-  Comparison  of  two  alternative  active  fire  protection  solutions  was 
performed  in  order  to  assist  in  the  optimization  with  respect  to  safety 
and  installation  cost. 

3.1.9  General  Observations 

The  following  general  observations  may  be  made  in  relation  to  the  safety 
evaluations  carried  out  for  the  Veslefrikk  platforms: 

-  Use  of  quantitative  risk  assessment  models  from  the  first  stage  of  the 
development  has  provided  the  possibility  to  respond  in  a  precise  manner  to 
queries  that  have  been  made  concerning  protection  aspects  for  the  Ves- 
lefrikk A  and  B  platforms 

-  The  quantitative  process  has  offered  the  opportunity  to  make  decisions 
regarding  safety  that  have  led  to  an  improved  safety  level 

-  Consideration  of  design  details  in  the  risk  assessments  has  turned  these 
studies  into  useful  tools  for  the  engineering  team  throughout  the  course 
of  platform  development 

-  A  unified  risk  model  used  from  the  earliest  concept  definition  stage  and 
carried  through  into  the  operations  phase  has  provided  a  useful  tool  for 
a  continued  risk  administration  process  and  an  efficient  utilization  of 
resources. 

3 . 2    Evaluation  of  the  Usefulness  of  Probabilistic  Risk  Assessmenmts 
3.2.1  Benefits  Due  to  Application  of  Risk  Assessments 
Those  benefits  are: 

-  Qualitatively,  the  operator  gains  insight  into:  risk  mechanisms,  how 
hazards  are  created  and  can  be  prevented,  possibilities  available  for 
mitigating  accident  effects,  risk  aspects  of  overdesign  and  underdesign 

-  Quantitatively,  an  appreciation  of  the  dominant  contributors  to  risk,  and 
of  the  optimum  level  of  protection  against  unsafe  events 

3.2.2.     Facilities  for  Which  Risk  Assessments  Should  be  Used 

Risk  assessments  should  be  used  for  the  following  types  of  facilities: 
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—  All  facilities  involving  investments  on  the  order  of  at  least  a  quarter  to 
half  a  billion  dollars  (over  the  field  lifetime) ,  even  if  traditional 
development  technology  is  utilized 

—  Facilities  with  significant  novel  design,  construction,  installation  or 
operation  aspects 

—  Deep  water  facilities 

—  Installations  designed  by  using  principles  and  approaches  that  deviate 
significantly  from  recognized  international  or  domestic  standards. 

The  risk  assessment  methodology  should  not  be  used  for  facilities  involving 
application  of  'off-the-shelf  technology  and  limited  investment. 

3.2.3  Time  and  Manpower  Requirements 

The  North  Sea  experience  in  applying  risk  assessments  is  that  these  studies  may 
be  conducted  in  parallel  with  planning,  design,  construction,  fabrication  and 
operations  with  no  significant,  if  any,  effect  on  overall  time  schedules. 

Typically,  these  studies  are  conducted  in  stages,  with  a  duration  of  up  to  2-4 
months  (down  to  1  month)  per  study  per  stage. 

The  total  manpower  requirements  are  to  a  large  extent  a  function  of  the  order  of 
magnitude  of  investment.  Typically,  for  a  field  development  schedule,  0.2  to  0.5 
percent  of  the  total  field  development  cost  (drilling  costs  excluded)  have  been 
estimated  to  be  resources  used  on  MCAPS  methodology  and  related  studies.  This 
figure  also  includes  the  internal  resources  needed  to  monitor  an  outside 
contractor. 

For  a  one  billion  dollar  investment,  a  complete,  detailed  risk  assessment  study - 
installation  would  typically  require  a  budget  of  the  order  of  one  staff-year, 
extended  over  a  two  to  four  months  period. 

3.2.4  Potential  Cost/Benefit  Ratio 

It  is  argued  that  the  Cost/Benefit  ratio  often  is  less  than  1  over  10. 

Risk  assessment  studies  used  in  a  'non-prescriptive'  environment  (i.e.  where 
there  are  no  minimum  standards  that  have  to  be  satisfied  irrespective  of  risk 
level)  have  often  been  viewed  as  reducing  overall  development  costs.  An  example 
is  the  finding  that  a  certain  deluge  system  can  be  removed  without  significant 
effect  on  the  overall  risk  level  for  equipment  and  personnel. 

3.2.5  Availability  for  Use 

The  risk  assessment  methodology  has  been  used  extensively  in  the  Norwegian 
offshore  industry  for  more  than  10  years,  and  in  the  entire  North  Sea  for  the 
last  two  to  three  years.  It  appears  to  be  a  relatively  consistent  view  taken  by 
most  operators  that  the  methodology  yields  clear  benefits. 
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It  can  be  argued  that  the  new  Risk  Analysis  Regulations  enforced  by  the  Norwegian 
Petroleum  Directorate  (NPD)  from  February  1,  1991  represent  a  follow-up  by  the 
part  of  NPD  on  what  the  dominant  operators  have  been  doing  voluntarily  for 
several  years.  The  regulations  will  make  adherence  to  appropriate  risk  analysis 
practices  uniform  among  operators. 

Thus,  at  least  operators  in  the  North  Sea  (that  is,  most  of  the  major 
international  operators)  should  view  the  methodology  as  being  now  available  for 
use . 

This  does  not  mean  that  no  problems  exist.  Indeed  many  difficulties  exist.  An 
effective  and  defensible  use  requires  that  all  involved  be  well  aware  of 
weaknesses  and  problems.  However,  the  techniques  are  available  for  use  to  an 
extent  that  the  benefits  very  often  exceed  the  costs  by  far. 

3.2.6     Reliability  and  Defensibillty  of  Results 

The  reliability  and  defensibillty  of  the  results  depend  upon  the  way  in  which 
analysis  techniques  are  used.  In  the  United  States  the  techniques  have  been  used 
primarily  in  the  nuclear  industry  and  in  environmental  protection  for 
verification  purposes.  In  this  context  the  main  concern  was  the  uncertainty  in 
an  absolute  sense. 

In  the  North  Sea,  however,  the  primary  use  of  the  risk  assessment  methodology  has 
been  as  a  design  tool,  where  relative  uncertainties  are  of  interest.  Such  use  is 
much  less  controversial. 

For  the  latter  type  of  use  the  reliability  and  defensibillty  of  results  depend 
on: 

-  the   models    that   are   used   for   probability   estimation   and  consequence 
assessment 

-  the  data  that  are  fed  into  the  models 

-  the  competence  (know-how)  of  the  analysts  with  respect  to  risk  modelling, 
offshore  design  practices  and  offshore  operational  practices. 

For  the  relative,  comparative  use  of  reliability  estimates  it  is  argued  that  the 
models  and  data  are  largely  sufficient  for  yielding  reliable  and  defensible 
results  capable  of  supporting  clear  conclusions. 

Some  forms  of  use  require  interpretation  in  an  absolute  sense.  This  is  when 
significant  uncertainties  arise  and  can  be  a  matter  of  serious  concern. 

The  know-how  aspect  is  perhaps  the  most  difficult  to  deal  with  satisfactorily  in 
practice.  Both  the  resources  being  planned  and  budgeted  for  the  analysis  and  the 
qualifications  and  capabilities  of  the  personnel  must  be  adequate. 
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4.    Problem  Areas 

4 . 1  Technological  Barriers 

Lack  of  data  for  novel  systems  is  one  of  the  main  obstacles  for  efficient  use  of 
risk  management  techniques.  This  may  be  compensated  for  to  some  extent  by: 

-  Comparison  with  similar  concepts  and  systems 

-  Theoretical  studies  on  component  level 

By  comparison  with  similar  concepts  and  systems  it  is  possible  in  some  cases  to 
achieve  assessments  of  risk  levels  to  within  an  order  of  magnitude;  closer 
assessments  may  be  difficult  to  achieve. 

Another  action  which  will  gradually  improve  the  situation  is  development  of 
improved  models  for  physical  development  of  accidental  scenarios. 

It    remains    true    that    risk    estimates    are    characterized   by  uncertainties, 
particularly  for  novel  systems.  This  applies  especially  to  estimates  used  in  the 
absolute  sense,  which  should  be  considered  as  order-of-magnitude  values. 

4 . 2  Institutional  and  Cultural  Barriers 

Risk  assessments  are  not  used  in  Norway  to  subject  the  operator  to  pressures  on 
the  part  of  the  authorities  to  achieve  additional  safety  improvements.  This  is 
probably    the    main    reason   why    risk   management    techniques    have    been  rather 
successful  in  practical  use  over  a  decade  in  Norway.  The  following  statements 
can  be  made  concerning  on  the  use  of  risk  assessments  in  Norway: 

-  They  are  not  used  for  verification  of  safety  levels 

-  They  are  used  primarily  as  a  design  tool 

It  appears  sometimes  that  the  oil  and  gas  industry  in  other  countries  may  fear 
that  the  risk  assessments'  role  is  to  'prove'  an  acceptably  low  risk  level,  and 
that  such  a  fear  prevents  the  industry  from  using  these  techniques.  Such  a  role 
would  be  similar  to  the  role  played  by  risk  assessments  in  other  industries,  such 
as  the  nuclear  industry,  where  it  is  surrounded  by  a  great  deal  of  controversy. 

Based  on  the  Norwegian  experience,  it  appears  that  it  is  essential  that  risk 
assessment  be  considered  also  in  other  countries  as  a  design  tool.  Further,  the 
legal  framework  should  in  our  opinion  be  such  that  risk  assessments  are  not  used 
as  evidence  against  the  industry  if  accidents  occur. 

It  will  be  important  for  the  successful  utilization  of  risk  management 
techniques,  that  the  difference  between  the  process  of  risk  assessment  and  the 
results  is  appreciated.  The  process  of  risk  analysis  provides  an  overview  of  the 
risk  picture,  identifies  the  most  important  elements  of  risk,  and  provides 
suggestions  for  risk  reduction.  The  insight  created  by  this  process  are  in 
themselves  valuable  as  a  basis  for  improvement  of  the  overall  risk  level.  Risk 
assessments  indicate  which  are  the  most  important  elements  of  risk  and  allow  a 
presentation  of  the  total  risk. 
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It  will  be  important  to  realize  that  the  quantitative  results  of  a  risk 
assessment  should  be  considered  as  notional  probabilities  and  not  as  statistical 
estimates  in  an  actuarial  sense. 

It  is  further  important  to  realize  what  the  actual  purpose  of  the  quantitative 
risk  models  is .  The  purpose  of  developing  a  quantitative  model  is  to  provide  an 
estimate  on  probabilities  of  future  occurrences.  There  will  always  be 
considerable  uncertainties  associated  with  these  estimates.  Only  the  order  of 
magnitude  of  the  risk  estimates  should  therefore  to  be  taken  into  consideration. 

Finally,  it  important  to  realize  that  'exact'  physical  modeling  is  not  required 
in  the  risk  assessment  process  in  order  to  obtain  defensible  results.  'Exact' 
physical  modeling  of  particular  phenomena  will  often  be  so  laborious  that  the 
costs  associated  with  it  and  with  the  assessment  of  risk  would  be  unjustified. 
Therefore  one  has  to  use  more  approximate  physical  models  which  have 
uncertainties  in  line  with  the  overall  uncertainties  involved  in  the  assessment. 


5 .    Research  Needs 

5 . 1      Risk  and  Acceptance  Criteria 

In  the  new  Norwegian  legislation  the  task  of  defining  acceptance  criteria  for 
risk  has  been  left  to  the  individual  operating  companies.  This  has  led  to  some 
coordinated  efforts  in  the  industry  to  arrive  at  acceptance  criteria  that  are 
reasonably  uniform  among  the  individual  companies. 

The  working  group  agreed  that  such  an  approach  could  be  successful  in  Norway, 
where  acceptance  criteria  had  been  prescribed  by  the  authorities  for  nearly  a 
decade.  However,  in  countries  were  this  has  not  been  the  case,  such  an  approach 
might  be  less  desirable.  It  was  noted  in  particular  that  the  Canadian  approach 
is  based  on  the  definition  of  acceptance  criteria  by  the  authorities. 

5.1.1  Cost/Risk/Benefit  Studies 

The  use  of  Probabilistic  Risk  Assessment  (PRA)  for  the  purpose  of 
Cost/Risk/Benefit  Assessments  (CRBA)  is  a  valuable  application  of  the  PRA 
methodology.  The  PRA  approach  is  used  mainly  in  a  relative  sense,  which  is 
useful  for  CRBA's.  The  CRBA  approach  is  illustrated  by  the  following  case 
relating  to  isolation  valves  on  subsea  gas  pipelines. 

A  cut-off  valve  is  placed  on  the  pipeline  at  a  distance  L  from  the  platform.  It 
is  intended  to  reduce  the  duration  of  the  flow,  if  a  serious  leak  (or  rupture) 
occurs  near  the  platform  or  on  the  riser.  The  duration  of  a  possible  fire  should 
thus  be  significantly  reduced.  The  size  of  a  possible  gas  cloud  will  be  reduced 
also.  However,  even  with  the  valve  being  installed,  that  cloud  may  be 
sufficiently  large  that  an  extensive  gas  cloud  explosion  could  occur. 

The  benefit  due  to  the  presence  of  such  a  valve  is  therefore  reduced  accident 
costs .  should  a  rupture  or  leak  of  the  riser  or  pipeline  occur  near  the  platform. 
This  benefit  has  both  an  economical  aspect,  as  well  as  an  aspect  related  to 
reduced  personnel  risk. 
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If  a  leak  occurs,  the  accident  may  develop  in  several  ways.  As  a  simple 
illustration  one  may  regard  the  accidental  consequence.  C,  C  is  to  be  understood 
as  a  vector,  which  has  to  assessed  through  an  event  tree  analysis. 

The  average  benefit  may,  as  a  simplification,  be  regarded  to  be  constant  in  the 
operational  period,  and  may  further  be  regarded  to  include  accident  and 
operational  costs.  Operational  and  maintenance  costs  must  be  calculated  as  part 
of  other  annual  cost  factors . 

The  simplification  of  fixed  costs  is  only  made  for  illustrative  purposes.  The 
benefit  is  in  fact  always  a  time  dependent  function,  due  to  its  dependability  on 
production  delay,  and  hence,  loss  (delay)  of  income. 

For  the  assessment  of  net  annual  benefits,  we  must  take  into  consideration  that 
running  and  maintenance  costs  are  deterministic  (though  the  amount  may  be 
variable) ,  while  reduction  in  accident  and  repair  costs  are  probabilistic 
elements  that  reflect  the  probability  of  occurrence  of  a  leakage. 

The  evaluation  of  economical  risk  in  association  with  personnel  risk  may  be 
carried  out  in  the  following  way: 

1.  An  extra  safety  investment  is  calculated  using  the  CBRA  approach,  and  the 
Net  Present  Value  (NPV)  is  assessed. 

2.  The  safety  investment  is  favourable  if  the  NPV  value  for  the  safety 
investment  is  positive.  , 

3.  The  personnel  risk  effects  are  included  in  the  evaluation  only  if  the  Net 
Present  Value  is  negative. 

4.  The  investment  in  safety  measures  is  related  to  the  personnel  risk  by 
assessing  the  NPV  value  per  statistical  life  saved  over  the  applicable 
period. 

The  Cost/Risk/Benefit  approach  has  been  used  for  the  Norwegian  Continental  shelf 
in  tasks  such  as  the  following: 

-  Selection  of  emergency  isolation  valves 

-  Selection  of  extra  well  blowout  protection  valves 

-  Selection  of  active  and  passive  fire  protection  measures 

5.1.2     Software  Tools 

Software  tools  are  important  for  rationalizing  the  effort  needed  to  conduct  risk 
assessments.  Software  tools  also  allow  the  studies  to  be  repetitive  and  provide 
more  precise  documentation.  Numerous  software  products  are  available  for  limited 
analytical  tasks  such  as  Fault  Tree  Analysis,  Data  Analysis,  Failure  Mode  and 
Effect  Analysis,  and  so  forth.  For  offshore  risk  analysis  purposes  no  integrated 
packages  for  total  risk  assessment  are  available.  Some  packages  are  available  for 
onshore  risk  analysis,  and  there  is  at  present  one  major  development  project  in 
progress  for  offshore  risk  assessment  software. 
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However,  on  the  management  side,  few  software  packages  are  currently  available. 
5.2      Integration  into  Design 

The  intention  is  to  use  the  risk  assessment  methodology  in  an  optimization  of  the 
safe  design  and  operation  of  platforms.  This  implies  development  of  tools  that 
may  assist  the  industry  in  automated  design  of  intrinsically  safe  platforms,  with 
optimum  safety  built  in,  based  on  use  of  risk  analysis.  Tools  in  this  category 
will  have  to  rely  heavily  on  expert  system  technology. 

The  following  may  be  stated  concerning  the  use  of  risk  assessments  in  the  design 
process : 

—  The  risk  assessment  process  should  be  closely  integrated  with  the  design 
process.  A  unified  model  for  risk  assessment  should  be  used  throughout  the 
process ,  alllowing  a  quick  response  to  any  queries  from  the  engineering 
team. 

—  The  quantitative  studies  should  provide  a  basis  for  optimization  of  the 
safety  level.  Design  details  should  be  studied  in  the  risk  assessments, 
providing  a  basis  for  choosing  the  best  solutions  with  regard  to  safety. 

—  The  risk  estimates  should  be  used  primarily  in  a  relative,  rather  than  an 
absolute,  sense.  This  reduces  the  uncertainties  in  the  results  and  the 
sensitivity  of  the  conclusions  to  unavoidable  uncertainties  in  the 
assumptions  being  used. 

—  The  focus  in  the  studies  should  be  on  the  design  implications  of  the  risk 
assessment  results  rather  than  on  the  results  themselves.  The  premises  for 
the  studies  may  be  utilized  to  obtain  design  accidental  loads. 

—  The  focus  should  be  on  the  evaluation  of  design  details  rather  than  on 
assessment  of  the  overall  risk  level  of  the  platform.  Overall  studies  are 
primarily  relevant  in  relation  to  the  Norwegian  Petroleum  Directorate 
criteria  while  detailed  studies  are  more  useful  as  design  tools. 

—  A  realization  that  the  risk  assessment  process  itself  has  the  highest 
value;   the  analytical  results  are  usually  of  minor  importance. 

—  Risk  assessments  can  be  used  without  creating  significant  controversies. 

The  experience  with  this  approach  is  positive,  and  it  is  apparent  that  it  has 
contributed  to  improving  the  risk  level  of  the  platforms.  There  is  also  an  aspect 
of  satisfaction  for  the  consultants  performing  the  safety  studies,  because  this 
process  gives  an  opportunity  to  influence  the  design  process. 

5.2.1    Life  Cycle  Cost  Optimization 

Optimization  of  life  cycle  costs  (including  risk  costs)  will  be  performed  as  an 
overall  economic  analysis.  The  following  data  should  be  used  as  input,  in 
addition  to  the  data  obtained  from  event  trees: 
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—  Duration  for  each  production  period 

—  Production  volumes  for  each  period 

—  Unit  price  oil/gas 

—  Cost  and  price  escalation  factors 

—  Interest  rate 

—  Unavailability  of  well  systems,  process  systems,  export  facilities  - 

—  Average  period  of  deferment  for  production  delay  for  each  phase 

—  Average  operating  and  capital  costs  for  each  period 

5 . 3  Integration  into  Operational  Planning 

Use  of  risk  assessment  and  risk  management  techniques  may  also  provide  essential 
input  to  operational  planning.  In  particular,  analytical  premises  and  assumptions 
may  be  used  as  input  to  the  planning  of  manual  operations,  maintenance, 
inspection  and  intervention.  For  example,  assumptions  regarding  reliability  of 
safety  systems  may  imply  maintenance  requirements  and  inspection  and  test 
intervals,   in  addition  to  equipment  standards. 

Premises  and  assumptions  may  similarly  provide  input  to  preparation  of 
operational  manuals  as  well  as  procedures  and  manuals  for  maintenance  and 
inspection.  The  objective  is  that  these  premises  define  acceptable  standards  of 
work  and  give  warning  on  possible  unwanted  consequences  or  outcomes  of  the 
operations . 

Design  accidental  loads  can  also  be  used  to  review  the  need  for  modifications  and 
their  possible  merits  with  respect  to  protection  against  accidental  scenarios  and 
loads. 

5.4  Physical  Modeling 

Considerable  effort  has  been  spent  lately  and  is  still  being  spent  on  modeling 
of  fire  and  explosion  scenarios  as  well  as  on  structural  responses  and  loading. 
The  knowledge  and  modeling  of  these  phenomena  are  therefore  gradually  being 
improved.  However,  the  models  are  often  related  to  rather  idealized  conditions 
and  are  not  capable  of  considering  the  complex  conditions  on  an  offshore 
installation. 

In  particular,  the  behaviour  and  responses  of  systems  and  elements  under  various 
kinds  of  accidental  loading  are  difficult  to  model.  Failure  mechanisms  of  novel 
systems,  for  instance  flexible  pipelines,  also  require  additional  effort, 

5.5  Statistical  Data 

Reliability  data  for  production  and  process  equipment  have  been  collected  over 
the  years,  especially  in  the  North  Sea,  The  OREDA  project  provides  a  computerized 
database  for  participants. 

Accident  data  bases   exist  from  several   sources   including  Minerals  Management 
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Service  (Events  Data  File),  WOAD  (Veritec,  Norway)  and  others. 

For  the  reliability  of  safety  systems  much  less  data  is  available.  Also,  data  on 
leaks,  ignition  of  gas  and  oil  as  well  as  data  to  describe  consequences,  are 
presently  lacking  to  a  considerable  extent. 

6 .    Opportunities  for  Implementation  and  Application 

A  strong  case  has  been  made  for  risk  analysis  to  be  considered  as  a  design  tool, 
rather  than  a  tool  for  verification  of  a  safe  design.  Risk  analysis  viewed  as  a 
design  tool  does  not  give  rise  to  controversies  over  numbers  such  as  have 
occurred  in  other  industries.  In  fact,  although  fear  of  endless  controversies  was 
a  major  concern  in  Norway  when  risk  assessment  was  introduced  in  the  early  1980s, 
it  subsided  within  the  first  few  years.  Today,  the  approach  '  is  considered 
effective  and  successful  by  most  companies  concerned. 

The  important  role  of  the  risk  assessment  as  a  design  tool  is  that  it  allows 
comparative  risk  assessment,  not  absolute  statements.  A  case  was  made  for  the 
design  tool  risk  assessment  to  be  quantitative.  Quantification  may  often  be 
limited  to  consequence  calculation  when  the  study's  aim  is  to  find,  for  example, 
what  fire  load  to  design  the  pipe  support  for,  or  what  impact  a  Tension  Leg 
Platform  must  be  able  to  sustain.  However,  in  some  instances  quantification  will 
also  have  to  comprise  probability  assessment,  and  in  such  cases  much  skill  and 
wisdom  are  required.  The  point  was  made  that  probabilities  should  be  regarded  as 
notional,  in  contrast  to  actuarial  probabilities.  This  consideration  goes 
together  with  the  use  of  probabilities  in  a  relative  sense:  a  probability  of  10"^ 
has  no  meaning  other  than  that  the  hazard  of  concern  is  much  less  significant 
than  hazards  with  probabilities  of  lO"''  or  lO"''. 

In  summary  there  are  many  opportunities  for  application  of  risk  management 
techniques  in  the  future  in  the  entire  offshore  industry.  In  Europe  many  of  the 
largest  platforms  of  the  first  generation  have  to  be  upgraded  in  order  to  meet 
the  safety  challenges  of  the  future.  Marginal  field  development  with  novel 
production  concepts  is  also  being  contemplated.  These  tasks  call  for  extensive 
use  of  risk  management  and  risk  assessment  techniques . 

In  U.S.  as  well  as  in  Canadian  offshore  areas  developments  are  taken  into  deeper 
waters  Both  economical  and  personnel  safety  considerations  are  expected  to 
increase  the  need  for  risk  assessment  studies. 
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STRUCTURES:  RISK  AND  RELIABILITY  ISSUES 

C.  Allin  Cornell 
and 

Gordon  Edwards 


1 .  Introduction 

Both  the  application  and  the  research  in  structural  reliability  assessment  are 
evolving  rapidly.  Even  at  the  time  of  the  1984  workshop,  probabilistic  methods 
had  been  in  use  for  two  decades  to  define  design  loads,  and  the  offshore  industry 
was  well  on  its  way  to  developing  a  probability-based  design  code  following 
principles  that  had  been  established  in  the  building  industry  for  a  decade.  Both 
these  applications  had  the  luxury  that  they  did  not  require  explicit 
probabilistic  analysis  by  the  user  and  that  they  could  be  calibrated  to  existing 
practice.  Therefore  the  structural  community,  while  long  committed  to  a 
probabilistic  basis  for  design,  does  not  have  a  broad  experience  base  with 
Quantitative  Safety  Analysis  as  currently  practiced,  for  example,  on  the  active 
mechanical  topsides  systems. 

To  improve  this  situation,  the  insights  and  advice  of  our  closest  predecessors 
(Working  Group  II  of  the  1984  Workshop)  have  generally  been  followed.  As  they 
suggested,  isolated  applications ,  demonstrations,  and  research  have  all  increased 
in  volume,  have  in  some  cases  coalesced  into  larger,  coordinated  activities 
(e.g.,  various  Joint  Industry  Projects),  and  have  provided  a  basis  for  the 
evolution  of  specifications  (e.g.,  the  API-LRFD,  the  CSA  offshore  code,  the 
current  European  considerations  of  adopting  a  modification  of  the  API-LRFD,  the 
recent  revision  to  the  NPD  criteria) .  While  the  serious  concerns  of  that  1984 
Working  Group  bear  careful  re— reading  (e.g.,  organizational  and  communication 
problems,  risk  analysis  as  a  "sterile  acceptance  hurdle"),  we  believe  the  current 
atmosphere  is  generally  a  significantly  more  positive  one. 

In  particular,  the  use  of  probabilistic  analysis  is  now  more  readily  accepted  as 
the  only  reasonable  way  to  deal  with  certain  problems,  and  it  is  beginning  to 
influence  not  only  how  research  and  development  are  done  in  other  related  areas, 
but  which  problems  are  studied.  Examples  of  subjects  that  must  be  explicitly 
probabilistic  in  their  treatment  in  research  and  application  include 
environmental  descriptions,  irregular  seas  and  resultant  response,  fatigue, 
inspection  updating  and  planning,  and  so  forth.  Examples  of  research  and 
development  that  it  might  be  argued  are  responding  to  the  probabilistic 
developments  in  structural  design  and  reassessment  include  increased  interest  in 
collapse  analysis  of  jackets,  definition  of  joint  environmental  loading  criteria, 
and  linear  and  nonlinear  (random)  vibrations  analysis. 

2 .  Scope 

Because  of  the  potentially  excessively  broad  scope  of  our  working  group, 
effective  use  of  time  required  that  our  first  step  be  making  a  focused  definition 
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of  the  scope.  This  process  was  in  itself  one  of  the  most  interesting  and  most 
highly  charged  portions  of  the  group's  sessions.  The  co-chairmen  had  initially 
proposed  a  focus  on  two  reliability  dominated  subjects:  structural  systems 
analysis  and  joint  environmental  loading  characterization.  Other  lists  were  also 
offered.  The  observation  was  made  and  widely  supported  that  both  reliability 
assessment  and  safety  advances  are  driven  by  varying  mixes  of  "technological 
push"  and  "industrial  pull".  Although  not  unanimous,  the  consensus  was  to 
develop  our  operating  focus  by  identifying  those  topics  thought  (at  the  outset) 
to  have  the  greatest  opportunity  for  near-term  implementation  by  dint  of  their 
having  both  pull  and  push,  i.e. ,  because  they  were  both  perceived  as  needed  by 
industry  and  within  the  realm  of  current  technology  (or  its  close  reach) . 


Though  an  interactive  process,  four  topics  fell  out: 

1.  Reassessment  of  Steel  Jackets 

2.  Optimization  of  Inspection,  Maintenance  and  Repair 

3.  Risk  Management  of  Novel/High  Consequence  Systems 

4.  Design:       Reliability-Based  Design,    Design  Norms,    and   Life— Cycle 
Design  Optimization 


For  those  less  familiar  with  structural  engineering,  these  headings  can  be 
briefly  described  as,  respectively:  (1)  the  evaluation  for  continued  use  of 
existing  steel  jacket  structures;  the  causes  for  reassessment  may  be  advanced 
age,  life  extension  and/or  revised  use  beyond  the  original  design  basis, 
identified  damage,  or  revised  perception  of  environment  conditions;  (2)  the 
development  of  cost-effective  plans  for  future  inspection  and  repair  taking 
advantage  of  updating  based  on  past  inspections;  (3)  design  of  unusual  platforms 
when  information  is  limited  due  to  lack  of  prior  industry  experience  or  when  the 
impact  of  system  failure  is  significantly  higher  than  in  normal  practice;  and  (4) 
the  utilization  of  risk  and  reliability  analysis  in  routine  design  through 
improved  design  norms,  such  as  the  LRFD  proposals  now  under  consideration  by  the 
industry,   or  improved  definition  of  oceanographic  input  parameters. 

Although  designed  to  provide  a  focus,  the  four  subject  areas  were  understood  to 
be  broad  enough  to  require  discussion  of  many  other  topics  that  were  identified 
as  important  for  the  group's  consideration.  Several  that  were  consistently 
mentioned  included:  low  capacity  margin  systems  (e.g.,  jackups  and  tripods  can 
be  defined  as  "novel"  structures  because,  although  common,  they  are  believed  to 
have  lower  reserve  strength  ratios  than  conventional  four  and  eight  leg  jackets), 
TLPs ,  design  for  robustness  to  damage,  comparative  versus  absolute  probabilities, 
target  probabilities,  treatment  of  uncertainty  in  probabilities,  cyclic  loading 
effects,  etc.  It  was  decided,  too,  that  for  efficiency  we  should  not  spend  time 
on  debate  of  the  details  of  basic  physical  modelling  issues,  except  as  they  have 
a  first— order  impact  on  one  of  the  reliability  assessment  topics. 


3  .       State  of  Practice 

The  working  group  considered  next  the  state  of  practice  of  risk  assessment  in  the 
four  focus  topics. 
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3.1      Reassessment  of  steel  jackets 


Although  not  all  companies  consider  it  routine  practice,  the  state  of  the  art  in 
practice  is  the  use  of  a  deterministic,  static  push-over  analysis  to  establish 
an  ultimate  system  capacity  (establishing  a  RSR  or  reserve  strength  ratio  defined 
as  the  ultimate  capacity  divided  by  the  original  design  capacity,  both  measured 
in  terms  of  base  shear,  for  example).  Probability  enters,  at  most,  by 
calculating  the  probability  that  a  wave  occurs  large  enough  to  exceed  this 
ultimate  capacity.  Major  reservations  remain  in  this  structural  assessment  (see 
below  in  the  Problem  Areas  section) . 

Structural  reliability  analysis  capabilities  exist  to  go  further.  These  are 
system  reliability  analysis  methods  that  have  been  developed  significantly  since 
the  1984  workshop,  where  they  were  a  topic  singled  out  among  development  needs. 
Investigations  in  both  the  U.S.  and  Europe  have  led  to  illustrative  analyses  on 
full-scale  structures  and  to  software  that  has  found  its  way  into  practice.  With 
few  exceptions,  the  effort  has  been  reliability  under  extreme  loads;  several  have 
concluded  that  the  benefits  of  such  multi-failure  path,  probabilistic  systems 
analyses  are  marginal  (vis-a-vis  a  simple,  single  mean-centered  deterministic 
ultimate  capacity  analysis  coupled  to  a  probabilistic  long-term  wave  environment 
assessment).  In  contrast,  major  benefits  appear  likely  for  the  fatigue/systems 
problem.  Although  less  well-studied,  several  published  procedures  are  in  the 
literature  and  more  work  is  underway. 

Other  questions  associated  with  this  reassessment  topic  are  common  to  all  topics, 
e.g.,  treatment  of  uncertainty  in  small  probabilities,  "acceptable"  failure 
probabilities,  handling  of  modelling  uncertainties,  etc.  These  problem  areas 
will  be  discussed  below. 

We  might  summarize  the  state  of  practice  discussions  on  jacket  reassessment  by 
saying  that  first  generation  structural-mechanical  and  structural  reliability 
tools  are  available,  but  there  is  not  broad  consensus  as  to  how  to  use  the 
results  in  decision  making. 

3.2      Optimal  inspection,  maintenance,  and  repair 

Discussion  of  the  state  of  practice  here  centered  on  relatively  new  member-level, 
reliability-based  inspection  planning.  The  procedures  are  accepted  by  at  least 
some  certification  institutions,  are  practiced  routinely  by  some  contractors,  and 
are  cited  for  having  justified  50%  reductions  in  certain  North  Sea  inspection 
costs.  Although  member— oriented,  recent  advances  have  coupled  these  analyses 
with  multiple  deterministic  push-over  studies  designed  to  identify  the  more 
critical  members  for  inspection  focus.  Although  this  process  reflects  system- 
wide  effects,  it  is  not  the  true  system-reliability-based  inspection  optimization 
method  that  one  can  visualize  being  within  reach  of  relatively  near-term 
reliability  analysis  research  developments. 

Most  group  members  considered  this  problem  a  subset  of  the  topic  of  reassessment 
of  existing  jackets;  they  believe  that  in  new  designs,  inspection  should  not  be 
the  "first  line  of  defense"  for  fatigue  reliability.  Rather  long  design  fatigue 
lives  coupled  with  design  for  system  robustness  (given  a  local  failure) 
constitute  the  more  efficient  and  safe  design  philosophy. 
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3.3  Risk  management  of  novel  and/or  high  consequence  systems 

The  state  of  practice  in  this  topic  is  mixed.  It  was  widely  agreed  that 
reliability  analyses  should  be  a  major  industry  tool  for  unusual  systems,  new 
environments,  and  uncommonly  high  failure  consequence  situations.  And  the  group 
cited  many  interesting  examples  of  applications  in  practice.  These  included 
several  TLP  applications  (e.g.,  risers,  set-down  effects  on  tendon  reliability, 
and  tether  failures  impacting  risers),  deck  height  decisions,  caisson-structure 
design,  etc.  In  some  cases  the  studies  involved  comparisons  among  alternate 
concepts;  often  the  results  were  "benchmarked"  to  parallel  studies  on 
conventional  jacket  structures  where  the  preponderance  of  our  experience  resides. 

Novelty  implies  less  experience  that  in  turn  implies  less  information,  whether 
derived  by  analysis  or  observation.  Particularly  when  comparing  novel  versus 
conventional  concepts,  one  should  consider  the  effect  of  this  "Type  II" 
(epistemic)  uncertainty  in  the  analysis.  Commonly  included  in,  for  example, 
nuclear  power  plant  risk  assessments,  it  has  only  recently  begun  to  make  its 
appearance  in  offshore  analyses . 

The  general  industry  acceptability  and  likelihood  of  doing  such  analyses  seem 
both  to  have  improved  over  1984,  but  apparently  in  a  non-uniform  way.  Still, 
however,  the  expertise  resides  only  in  certain  operators  and  contractors,  the 
level  of  encouragement  and/or  receptivity  of  regulators  varies  geographically, 
and  there  exists  a  lack  of  standardized  guidelines  for  decision  making.  These 
conditions  (and  other  problem  areas  discussed  below)  continue  to  limit  the 
application  of  reliability  analyses  even  in  this  area  where  its  utility  is  so 
apparent  to  all  informed  parties. 

3.4  Design:   reliability-based  design,   design  norms,   and  life— cycle 
optimization 

In  this  area  there  has  been  marked  progress  since  1984.  Reliability-based  design 
norms  (with  deterministic  formats  such  as  LRFD)  are  now  the  standard  for  code 
development.  In  the  offshore  industry  this  use  of  reliability  is  currently  being 
engaged  to  re-write  codes  of  practice  for  conventional  jackets  in  many  parts  of 
the  world.  Further,  a  parallel  development  is  underway  for  TLP  design.  In  most 
cases,  calibration  to  successful  past  practice  has  been  used  as  the  basis  for 
setting  the  (often  implicit)  annual  failure  probability.  The  introduction  and 
use  of  such  probability-based  norms  has  encouraged  the  development  of 
improvements,  for  example,  in  the  code  treatment  of  joint  environmental  loadings. 
A  major  exception  is  foundation  design  where  several  obstacles  to  reliability- 
based  code  development  remain. 

A  next  step  might  be  direct  reliability  design,  i.e.,  where  explicit  reliability 
calculations  are  made  and  compared  with  required  reliability  targets.  Building 
design  developments  in  Europe  are  moving  in  this  direction.  The  computational 
capabilities  exist;  standard  distribution  assumptions  are  to  be  made  available 
as  default  values;  widespread  familiarity  with  reliability  is  missing,  however, 
together  with  critical  joint  environmental  data  in  many  locations.  Education  is 
in  place  in  some  universities,  but  this  capability  will  be  slow  to  develop 
without  a  major  industry  "pull". 
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The  application  of  the  ultimate,  full— life— cycle ,  cost-risk— benefit  optimized 
design  process  is  not  on  the  horizon.  Most  attendees  agreed  that  the  basic  tools 
are  available  and  that  the  framework  is  in  view.  (Joint  Industry  Projects  such 
as  the  MCAPS  project  have  addressed  the  problem.)  Again  the  area  needs  a  major 
industry  pull,  which  in  turn  requires  that  proponents  demonstrate  and  communicate 
both  to  engineering  colleagues  and  to  management  that  there  are  substantive 
benefits  to  be  gained.  These  might  be  improved  flexibility  of  future  platform 
use,  limiting  of  "downside"  risks  (e.g.,  by  improved  robustness  to  damage), 
designing  out  recurrent  costs  (e.g.,  by  eliminating  fatigue  inspections),  etc. 

4.       Problem  Areas 

Review  of  the  state  of  the  art  of  reliability  approaches  in  the  four  high 
leverage  areas  led  the  working  group  to  identify  a  number  of  broad  problems  and 
issues  requiring  resolution  to  allow  significant  further  progress  in  these  areas. 

In  developing  this  information,  it  was  fully  realized  that  while  some  problems 
would  demand  significant  further  research  for  their  resolution,  others  are  more 
linked  to  industry  consensus  building,  development  of  common  views  and  agreed 
"paradigms"  for  performing  analyses.  Furthermore,  in  certain  cases,  emerging 
legislative  frameworks  and  the  differences  between  these  in  various  countries  are 
likely  to  have  a  strong  impact  on  the  direction  and  pace  of  technology 
development. 

Due  to  the  strong  links  among  the  above  issues,  it  is  not  felt  meaningful  at  this 
stage  to  separate  the  problems  into  the  different  classes.  They  are  recorded 
here  in  narrative  form  in  the  sense  and  context  in  which  they  were  expressed  by 
the  working  group  members . 

4.1      Reassessment  of  steel  jackets 

Current  approaches  for  evaluating  RSR  ratios  of  jackets  under  wave  loading 
rely  on  a  static  pushover  model  of  failure.  This  is  unlikely  to  be  fully 
realistic  in  most  cases  and  leads  to  a  (currently)  difficult  decision  in 
assessing  the  percentage  of  identified  reserve  strength  which  can  be  utilized  in 
a  reassessment/re-qualification  exercise. 

A  major  issue  here  was  recognized  to  be  the  possibility  of  high  strain/low  cycle 
"shakedown"  or  strength  reduction  in  a  jacket  due  to  the  passage  of  a  sequence 
of  near  extreme  wave  loading  events  —  either  in  the  same  storm  or  different 
storms.  The  problem  is  both  a  structural  one  (i.e.,  does  the  structure  degrade 
under  such  events?)  and  an  oceanographic/wave  loading  one  (i.e.  ,  can  and  do  such 
events  take  place  —  and  if  so  with  what  probability?)  Initial  indications  to 
both  the  above  questions  are  "yes",  although  work  is  required  to  further  evaluate 
these  issues.  Additionally,  inertia  effects  and  "near  failure  dynamics"  are 
recognized  as  of  importance  in  assessing  the  realism  of  static  RSR  analyses. 

Similar  questions  about  static  pushover  analyses  arise  in  the  re-qualification 
of  structures  under  earthquake  loading  —  with  additional  uncertainties  in  the 
area  of  load  distribution  (i.e.,  are  inertia  loads  likely  to  follow  the  same 
pattern  as  in  pushover  analyses?).     Also,  what  is  the  "definition"  of  ultimate 
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capacity  under  earthquakes? 


In  the  situation  of  re— qualification  of  damaged  structures,  group  members  felt 
there  to  be  insufficient  information  to  fully  characterize  the  remaining  strength 
of  damaged  members.  This  was  felt  particularly  difficult  to  assess  in  a 
risk/reliability  mode  due  to  the  increased  variance  (uncertainty)  which  may  be 
introduced  —  partly  associated  with  material  property  changes  due  to  the  damage 
event  (e.g.,  embrittlement) .  However,  it  was  fully  realized  that  advanced 
analysis  approaches  (e.g.,  non-linear  finite  element)  are  becoming  widely 
available  to  assist  here  on  a  case-by-case  basis  —  certainly  in  a  deterministic 
mode . 

Another  issue  over  which  the  group  felt  uncertain  is  the  probability  of  failure 
which  can  be  accepted  over  the  remaining  life  of  a  structure  —  given,  for 
instance,  that  the  structure  has  operated  for  20  years  and  another  5  years  duty 
is  required.  Current  views  in  other  public  safety  areas  indicate  the  same  annual 
probability  of  failure  should  be  accepted  as  in  the  structures'  history  — 
providing  consequences  of  failure  are  similar  in  the  future  period  of  duty.  In 
other  words,   the  future  period  of  operation  is  irrelevant. 

Finally,  it  was  generally  recognized  in  the  offshore  environment  that  a  proper 
characterization  of  the  loading  and  loading  uncertainties  for  the  remaining 
period  of  duty  is  critical  for  rational  decision  making  in  a  re— qualification 
exercise.  This  should  not  necessarily  reflect  simply  the  design  assumptions  but 
should  include  all  latest  information,  e.g.,  new  hindcast  wave  data  methods  for 
accounting  for  joint  probability,  latest  wave  kinematics  and  fluid  loading 
models.  In  other  words  the  engineers'  best  knowledge  and  information  at  the  time 
of  reassessment  is  required. 

4.2      Optimal  inspection,  maintenance  and  repair 

To  some  extent  this  is  part  of  the  above  issue  —  a  reassessment  exercise  should 
also  include,  where  appropriate,  a  re-statement  of  future  inspection  strategies 
and  frequencies  to  help  assure  the  required  reliability. 

In  addition  to  this,  however,  group  members  recognize  the  wider  dimension  of 
utilizing  probabilistic  tools  at  the  design  stage  to  define  optimal  lifetime 
inspection  plans. 

Firstly,  it  was  recognized  widely  that  a  key  issue  in  any  risk/reliability 
approach  to  the  problem  is  characterizing  the  probability  of  detection  of  defects 
—  given  a  particular  inspection  device/operator  combination.  A  further  issue 
is  the  probability  of  sizing  defects  correctly  —  where  this  is  important  in 
reassessment.  Broadly,  this  issue  requires  more  data  —  in  the  operating 
conditions  and  environment (s)  of  relevance  —  a  major  challenge! 

In  relation  to  the  important  probabilistic  methods  and  tools  for  inspection 
planning  recently  developed  in  Norway,  it  was  felt  that  various  assumptions  are 
present  (e.g.,  initial  flaw  sizes  for  fatigue  cracking)  that  may  or  may  not  be 
relevant  in  a  given  situation.  Further,  the  methods  seem  to  require  considerable 
analysis  to  provide  input  data,  for  instance,  one  or  more  structure-wide  fatigue 
analysis.    Clearly,  also,  a  consequence  analysis  of  a  member's  importance  in  the 
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total  system  should  form  part  of  the  decision  making  process  and  group  members 
were  not  fully  informed  as  to  the  degree  to  which  this  issue  is  included  in  the 
various  current  approaches  for  assessing  component  target  reliability  levels. 
Fuller  awareness  of  all  aspects  of  these  recent  tools  is  required  to  identify  the 
problems  more  clearly  and  work  required  to  develop  fully  integrated 
methodologies . 

Finally,  the  group  recognized  that  inspection  planning  for  many  structures  is  not 
driven  only  by  the  likelihood  of  fatigue  cracking.  Routine  inspections  for 
marine  growth  fouling,  dropped— obj ect  damage  and  other  potential  scenarios,  e.g.  , 
foundation  mudslides  are  variously  contemplated.  Integration  of  these  issues 
into  any  optimal  inspection  strategy  was  recognized  as  a  difficult  issue. 

4.3      Risk  management  of  novel  and/or  high  consequence  systems 

It  was  generally  recognized  that  for  new  types  of  structural  systems  (bearing 
little  similarity  to  existing  experiences)  it  is  of  great  importance  to  develop 
appropriate  physical  understanding  of  their  behavior  —  either  via  advanced 
engineering  analysis  approaches  or  appropriate  experiments/tests.  In  many  cases, 
this  level  of  engineering  insight  is  not  yet  available  and  tends  to  limit  the 
application/development  of  probabilistic  risk  approaches. 

Nevertheless,  some  degree  of  modelling  uncertainty  will  always  be  present  and 
must  be  formally  included  in  a  probabilistic  reliability  analysis.  If  the  models 
available  for  novel/high  consequence  systems  are  less  complete  than  for  more 
conventional  types,  then  there  will  be  greater  "uncertainty"  in  the  end  answer. 
This  must  be  properly  displayed  in  the  total  probability  of  failure  forming  the 
final  answer  and  to  some  extent  quantifies  the  "price  of  novelty" .  The  main 
problem  in  this  area  is  that  the  mechanisms  for  doing  these  uncertainty  analyses 
are  not  widely  agreed  upon,  and  current  approaches  (  e.g.,  via  empirical 
bias/knockdown  factors  or  subjective  probabilities)  are  heavily  laced  with  expert 
judgment. 

Furthermore,  the  level  of  thinking  on  "target  reliability  levels"  for  structures 
is  not  yet  advanced  enough  to  cater  for  the  "composite"  type  of  probability 
discussed  above  while,  at  the  same  time,  responding  to  socio-political 
perceptions  of  acceptable  safety  levels  —  which  are  generally  based  on  relative 
frequency  measures  of  probability. 

Further  problem  areas  related  to  reliability  of  novel/high  consequence  structures 
concern  the  difficulties  of  applying  standard  design  codes  which  are  backed  up 
with  experience  on  conventional  types.  In  an  unusual  structure,  robustness  under 
the  loss  of  one  or  more  members  may  be  much  lower  (especially  if  it  is  of  the 
slimline/low  cost  type)  and  post-failure  system  ductility  may  not  be  present. 
Therefore,  the  "simple"  safety  factors  present  in  conventional  codes  may  be 
insufficient  to  obtain  the  required  high  level  of  reliability. 

In  situations  such  as  that  above,  a  conventional  "engineering"  design  approach 
is  to  check  for  extreme  loadings  much  larger  than  the  conventional  "100  year" 
value.  This  presents  problems,  however,  in  deciding  on  the  return  frequency  to 
select  (e.g.,  1,000  year  or  10,000  year).  Also,  one  must  decide  on  the  precise 
definition  of  what  should  be  regarded  as  a  novel  structure  (i.e.,   one  falling 
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outside  current  codes) . 


Broadly,  the  whole  approach  to  designing  for  and  assuring  reliability  levels  in 
novel/high  consequence  structures  is  a  very  immature  area.  A  great  need  exists 
for  developing  approaches  which  can  be  transferred  unambiguously  to  potential  end 
users  (either  by  special  calculation  procedures  or  design  code  recipes)  and  for 
coming  to  a  common  understanding  of  which  questions  to  ask  for  this  type  of 
system. 

4.4     Design:  reliability-based  design,  design  norms  and  life-cycle  optimization 

Current  reliability-based  (split-factor)  design  codes  are  most  widely  developed 
for  fixed  jacket  platform  (e.g.,  API  RP2A  LRFD) .  In  the  further  development  of 
such  codes,  a  strong  need  exists  however  to  standardize  on  the  calculation 
approaches  (paradigms)  existing  in  different  countries.  Examples  quoted  by  group 
members  included  the  way  tubular  joints  are  handled  and  the  various  probabilities 
calculation  methods  (e.g.,   FORM  and  SORM)  utilized. 

Factors  affecting  "portability"  of  such  codes  to  other  areas  include  the  lack  of 
explicit  system  effects  and  the  fact  that  the  main  existing  version  (API  LRFD) 
has  been  calibrated  to  Gulf  of  Mexico  data.  Re-calibration  of  such  a  code  to, 
e.g.  ,  the  North  Sea  or  the  Mediterranean,  would  require  considerable  work  and/or 
extra  data  for  these  areas.  Also,  another  available  code  (the  Canadian  one)  has 
had  no  structures  designed  under  it  yet. 

Additionally,  there  seems  to  be  little  information  on  split  factors  for  use  with 
foundations  under  varying  soil  conditions.  This  is  an  area  where  major  attention 
is  needed  together  with  the  development  of  appropriate  models  and  data. 

In  terms  of  reliability-based  codes  for  other  structural  types  (e.g.,  Jackups , 
TLPs)  these  are  beginning  to  emerge  (e.g.,  API  RP2T  for  TLPs)  but  are  hardly 
useable  yet  due  to  lack  of  calibration.  The  whole  issue  of  calibration  of  new 
split  factor  codes  in  the  absence  of  relevant  historical  data  is  therefore  of 
major  concern  if  progress  of  this  technology  is  required.  Generating  the  right 
funding  levels  to  do  this  is  also  a  major  hurdle,  with  a  small  effort  on  jackup 
split  factor  design  (as  a  follow-up  to  a  larger  Joint  Industry  Project  in  the  UK) 
being  a  recent  example  of  the  limited  exposure  the  topic  is  receiving.  Overall, 
final  versions  of  such  codes  for  structures  other  than  jackets  are  likely  to 
include  higher  uncertainties  and  therefore  put  greater  demands  on  obtaining 
agreed  methods  for  analyzing  such  uncertainties. 

As  a  special  topic,  the  issue  of  ice  forces  in  the  Arctic  was  considered  by  the 
group  in  terms  of  developing  design  norms  and/or  probability— based  design  codes. 
It  was  realized  that  these  forces  by  their  very  nature  are  uncertain  and  demand 
probabilistic  treatment  (similar  to  waves)  but  developing  models  and  the  required 
data  for  probabilistic  treatment  represents  a  formidable  task. 

In  terms  of  design  norms  and  special  problems,  the  general  issue  of  selecting  the 
correct  air  gap  for  various  structural  types  was  seen  to  be  amenable  to 
probabilistic  treatment.  It  was  realized,  however,  that  once  the  deck  is 
inundated  with  water,  a  radical  change  is  the  physical  loading  mechanism  takes 
place    which    must    be    very    carefully    handled    in    a    probabilistic  analysis. 
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Alternatively,  the  objective  of  design  must  be  to  avoid  deck  inundation  with  a 
specified  (high)  probability. 

Finally,  the  topic  of  life-cycle  design  optimization  was  seen  to  be  a  very 
challenging  goal  demanding  a  great  deal  of  (normally  unavailable)  information  — 
for  example  on  service  life/topside  loads  —  to  perform  rigorously  in  the  early 
stages.  However,  practical  steps  forward  to  develop  specific  probabilistic 
methods,  e.g.,  to  limit  the  downside  risk  if  extended  use/duty  were  required 
later,  were  seen  in  general  to  be  more  feasible  objectives.  This  is  strongly 
linked  also  with  one  of  the  other  high  leverage  areas  considered  by  the  group, 
i.e.,  optimal  lifetime  inspection  and  repair  planning. 

5 .      Research  Needs 

Following  discussion  of  overall  problem  areas,  as  outlined  above,  specific 
attention  was  given  to  those  items  requiring  research  and  development  effort  to 
help  in  their  resolution,  and  to  the  definitions  of  the  R&D  required. 

Firstly,  a  number  of  R  &  D  items  largely  common  to  the  four  areas  were 
identified.  These  are  listed  first.  Secondly,  specific  items  related  to  the 
individual  areas  emerged  and  are  listed  under  separate  headings. 

Overall,  the  group  considered  R&D  having  a  "first  order"  impact  on  the  ability 
to  assess  system  risk/reliability  should  be  given  high  priority  —  together  with 
those  items  brought  into  focus  by  the  wish/need  to  undertake  such  analysis. 
Thus,  for  example,  some  key  physical  modelling  and  analysis  are  included  —  but 
"refinements"  to  existing  principles  are  not. 

5.1        Common  R&D  items 

-»•  Establishing  agreed  methods  for  performing  system  reliability 
analysis  of  complex  or  novel  structural  systems  types,  including 
foundations. 

Acceptable  methods  of  describing/analyzing  the  joint  occurrence  of 
environmental  variables  and  load  in  a  probabilistic  domain  to  form 
input  to  system  risk/reliability  analysis.  This  effort  should 
include  the  uncertainties  induced  by  limited  data. 

Development  of  agreed  procedures  for  catering  for  model  uncertainty 
in  system  reliability  analysis  together  with  the  fundamental 
analysis/experimental  data,  etc.,  which  underpins  the 
characteristics  of  model  uncertainty. 

-»•  Development  of  general  philosophies  for  setting  performance  goals 

and  acceptance  criteria  to  be  utilized  with  risk/reliability 
analysis. 

-»■  Development  of  suitable  methods  for  transferring  reliability 
analysis  methods  to  end  users  —  and  agreed  "paradigms"  for 
performing  analyses. 
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5.2  Jacket  reassessment/re-qualification 

-*  Establishment  of  agreed  performance  goals  or  acceptability  criteria 
when  reassessing  jackets  from  a  risk/reliability  viewpoint  (e.g., 
reserve  strength  ratios,  robustness,  consequences,  ductility). 

Techniques  for  realistically  assessing  material  parameter 
characteristics  in  an  existing  jacket  (e.g.,  toughness,  yield)  for 
probabilistic  analysis. 

Assessment  and  probabilistic  modelling  of  damaged  member  strength 
and  properties . 

Modelling  of  the  potential  occurrence  of  several,  sequential  near 
failure  loads  (in  the  same  storm  or  subsequent  storms)  and  the 
resultant  high  stress/low  cycle  degradation  of  the  jacket. 

-»  Assessment  of  inertia  and  near  failure  dynamics  effects  and 
adjustments  to  static  RSR  values  required. 

->  Evaluation  of  repair  techniques  and  their  probabilistic  properties 
for  reliability  analysis  and  decision  making. 

->  Agreed  approaches  for  analysis  and  definition  of  ultimate  capacity 
of  structures  under  earthquake  loading. 

Efficient  and  reliable  methods  for  performing  static  pushover  RSR 
analysis  including  importance  of  multiple  failure  modes. 

Collating  and  summarizing  relevant  platform  databases  for  use  in  the 
public  domain,  e.g.,  damage  occurrences,  typical  as-built  defects 
and  inspection  results. 

->  Establishing  and  calibrating  models  to  account  for  wave-in-deck 
loads . 

-*■  Realistic  characterization  of  environmental  loading  uncertainties  — 

due  both  to  natural  variability  and  uncertainties  due  to  imperfect 
models  —  during  the  remaining  life  of  a  structure. 

5.3  Optimal  inspection,  maintenance  and  repair 

Research  to  quantify  the  probability  of  detection  and  sizing  of 
defects  correctly  for  various  operator/tool  combinations  (i.e. ,  both 
human  error  and  inspection  tool  reliability  are  of  importance) 

Development  of  system— level  probabilistic  inspection  planning  tools 
which  link  component  reliability  with  the  importance/criticality  of 
the  component  in  the  overall  system,  as  part  of  a  system  reliability 
analysis. 

-»•         Generation    and    probabilistic    descriptions    of    appropriate  crack 
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propagation  data  for  modelling  fatigue  of  complex  components,  e.g., 
mult iplanar/over lapping  j oints . 

Agreed  methods  and  data  for  accounting  for  fabrication  defects  and 
internal  cracks  (e.g.,   in  cast/stiffened  joints). 

-»■         General    approaches    and    philosophies    for    foundation  condition 
assessment  and  inspection. 

-»         Linking   of   probabilistic    inspection   planning    tools    with  jacket 
reassessment  approaches. 

5.4  Risk  management  of  novel  and/or  high  consequence  systems 

-»■  Research  to  study  and  establish  relevant  failure  modes. 

-+  Probabilistic     system     reliability     tools      to      investigate  the 

sensitivity  of  overall  reliability  to  modes  which  are  overlooked. 

Reliability  assessment  of  human  error  effects  during  design  and 
influence  of  accidental  load  effects. 

Incorporating  uncertainties  in  analytical  tools/models  in  system 
reliability  analyses. 

Establishing  target  risk  levels  for  high  consequence  structures  and 
procedures  for  assessing  them,  taking  into  account  modelling 
uncertainties  and  damage  tolerance  measures. 

Assessment  of  installation  risk. 

-♦•  Establishing  a  rationale  for  deciding  on  the  environmental  design 

criteria  for  checking  the  structure  (e.g.,  100  year,  1000  year  or 
10,000  year)  and  use  of  conventional  design  codes/factors. 

-*■         Use      of      measured      data      during      operations      to  update/tune 
reliability/risk  models. 

->         Proper  modelling  of  combinations  of  load  effects. 

5.5  Design 

-*■         Reflection  of  Type  II  (modelling)  uncertainties  in  probability-based 
design  codes. 

-»•         Development     of     a     reliability-based     design     code     format  for 
compliant/dynamic  platforms 

-*■         Combination  of  environmental  events  for  design  of  compliant/ dynamic 
platforms . 

-*■         Consequence  and  system  redundancy/robustness  factors  in  probability— 
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based  design  codes. 


Split-factor  code  design  approaches  for  foundation  systems  and  for 
seismic  loadings. 

Probabilistic  modelling  of  ice  forces  for  reliability— based  Arctic 
design. 

Probabilistic  design  approaches  to  limit  "downside  risk"  in  the 
event  of  later  operational  decisions  to  extend  platform  duty/use. 

Development  of  commonly  agreed  procedures/paradigms  for  developing 
probability— based  design  codes, 

6 .       Opportunities  for  Implementation 

By  their  original  selection,  the  four  topic  areas  selected  above  are  both 
opportunities  and  needs  for  near-term  implementation.  More  pointedly,  the 
working  group  concluded  that  the  first-generation  reliability  tools  and  relevant 
physical/  probabilistic  models  exist  —  or  are  relatively  high  on  the  development 
curve  —  to  conduct  risk  assessments  of  (1)  jackets  under  reassessments,  (2) 
novel  or  high  consequence  systems,  and  (3)  direct  reliability-based  design.  In 
fact,  the  industry  has  some  experience  in  all  these  topics;  impediments  to 
broader  use  include  lack  of  firm  guidance  in  use  of  risk  analysis  results,  narrow 
dissemination  of  expertise  and  tools,  and  in  some  cases,  management/regulator 
resistance. 

Optimized  inspection  is  in  use  at  the  member  level  (with  limited  member 
importance  considerations) ,  and  apparently  the  techniques  will  be  extended  to 
full  system  level  in  the  near  future.  The  direct  benefits  have  already  been 
demonstrated  at  the  member  level. 

In  all  cases,  the  implementation  will  be  accelerated  with  the  reduction  of  the 
impediments  mentioned  above  and  with  further  research,  development,  and 
"institutionalization"  (in  the  form  of  broadly  agreed  procedures)  of  analyses  of 
systems  effects,  joint  environmental  phenomena.  Type  II  uncertainty  in  loads  and 
behavior,  and  reliability  performance  goals. 
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REPORT  OF  WORKING  GROUP  #4 

PRODUCTION  FACILITIES 

J .  Frank  Davis 
and 

Magne  Torhaug 

1 .  Introduction 

This  paper  presents  the  conclusions  of  the  Working  Group  on  Production  Facilities 
at  the  International  Workshop  on  Reliability  of  Offshore  Operations,  March  1991. 
The  paper  reflects  the  general  consensus  of  the  Working  Group,  and  does  not 
necessarily  reflect  the  opinions  of  all  the  Group  members.  The  paper  is 
structured  after  the  nine  theme  questions  established  by  the  two  co-chairmen  (J, 
Frank  Davis  and  Magne  Torhaug)  for  the  workshop : 

a.  Do  we  need  to  adopt  more  formal  risk  assessment  technologies? 

b.  Do  we  need  to  prepare  a  safety  case  similar  to  that  proposed  for  the  U.K. 
offshore  activities? 

c.  What  techniques  should  be  used  to  identify  hazards? 

d.  What  tools  are  suited  and  necessary  for  consequence  analyses? 

e.  Should  frequencies  be  calculated? 

f .  What  risk  assessment  criteria  should  be  used? 

g.  Should  regulations,  including  risk  acceptance  criteria,  be  prescriptive  or 
performance  (objective)  oriented? 

h.  What  additional  resources  are  needed  to  enhance  process  safety  of  offshore 
production  facilities? 

i.  How  should  mitigating  measures  be  implemented? 

The  Working  Group  did  not  get  adequate  time  to  discuss  question  i) ,  and  this  is 
therefore  not  covered  in  the  following. 

The  Working  Group  had  the  benefit  of  prepared  presentations  from 

-  Roy  McKay  of  Arco,  who  presented  Arco  practice  for  installations  in 
the  Gulf  of  Mexico  and  the  U.K. , 

—  Jim  Galloway  of  Exxon  Production  Research  Company,  who  presented 
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Exxon  practice  for  platforms  in  Australia, 

—  Harvey    Schultz     of    Mobil,     who    presented    Mobil    practice  for 
installations  offshore  Nigeria, 

—  Ken  Arnold  of  Paragon  Engineering,  who  presented  points  of  view  as 
seen  from  a  small  Gulf  of  Mexico  operator, 

—  James  Breaux  of  Shell  Oil,  who  presented  the  Shell  Oil  practice  for 
Gulf  of  Mexico  installations, 

—  Magne  Torhaug  of  Det  norske  Veritas ,  who  presented  a  Working  Group 
theme  paper  as  an  introduction  to  the  workshop. 

It  is  noted  that  the  focus  of  this  paper  is  on  risk  analysis.  This  is  in 
accordance  with  the  defined  purpose  of  the  workshop.  The  title  reference  to 
reliability  analysis  could  therefore  be  misleading. 

In  the  following,  each  theme  question  will  be  discussed.  Many  of  the  theme 
questions  are  complex,  and  could  alone  be  subjects  for  entire  workshops.  The 
purpose  of  the  workshop,  as  well  as  the  paper  can  not  be  in  depth  discussion  of 
each  topic,  but  rather  to  generate  overview  and  a  basis  for  further  work  in 
various  f orums/organizations . 

2 .        Do  We  Need  To  Adopt  More  Formal  Risk  Assessment  Technologies  for  Offshore 
Production  Facilities  Design  and  Operation? 

Is  there  "hard"  data  to  support  an  affirmative  answer  to  this  question? 

Risk  assessments  are  widely  applied  today  in  the  offshore  industries  of  Denmark, 
Norway  and  the  U.K.  In  Canada,  there  will  also  be  formal  risk  assessments  of  all 
offshore  production  facilities.  Basis  for  this  development  has  been  regulations 
by  national  authorities.  There  are  requirements  for  Quantified  Risk  Assessments 
(QRA)  in  all  four  countries. 

From  the  Working  Group  discussion,  it  is  evident  that  several  oil  companies  are 
now  applying  risk  analyses  of  various  forms  in  many  of  their  operations  around 
the  world,  also  where  this  is  not  required  by  authorities. 

Thus,  it  was  concluded  that  both  authorities  and  oil  companies  must  have  found 
the  application  of  formal  risk  assessments  useful. 

The  Working  Group  also  concluded: 

—  ■  The  extent  of  the  risk  assessment  and  the  methods  used  should  be  tailored 
to  the  facility  and  the  situation  in  question.  Simplified  assessments 
are  adequate  in  cases  where  great  detail  and/or  accuracy  is  not  needed. 
It  was  also  pointed  out  that  the  practice  of  risk  analyses  of  offshore 
installations  had  been  established  in  areas  where  the  platforms  are  on 
average  much  larger  and  more  complex  than  in  the  Gulf  of  Mexico  and  many 
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other  parts  of  the  world.  The  term  "risk  assessment"  is  here  used  in  a 
wide  meaning  of  the  word,  and  it  may  mean  both  a  full  quantitative  risk 
analysis  as  well  as  a  qualitative  assessment. 

—  The  risk  assessments  may  in  some  cases  be  qualitative  and  still  provide 
adequate  information. 

—  There  may  be  no  needs  for  risk  assessments  for  some  facilities,  typically 

—  facilities  which  are  sufficiently  similar  so  that  industry  developed 
generic  risk  assessments  are  adequate. 

—  small  and  simple  platforms. 

-  The  risk  assessments  should  consider  the  entire  field,  not  only  the 
facilities  of  the  platforms. 

3.  Do  We  Need  a  Safety  Case  Similar  to  that  Used  by  the  Downstream  Refineries 
and  Plants  in  Europe  and  Proposed  by  Lord  Cullen  for  the  British  Offshore 
Industry? 

The  Safety  Case,  as  proposed  for  U.K.  offshore  industry  by  Lord  Cullen,  combines 
the  Safety  Management  System  with  "technical  risk  control."  In  short,  the  Safety 
Case  demonstrates  that: 

-  The  Safety  Management  System  (SMS)  of  the  company  and  the  installation(s ) 
in  question  are  adequate  for  design  and  operation. 

—  The  potential  major  hazards  have  been  identified  and  appropriate  controls 
provided . 

-  There  are  adequate  provisions  in  cases  of  major  emergencies  for: 

—  Temporary  safe  refuge, 

—  Safe  and  full  evacuation,  escape  and  rescue. 
The  Safety  Case  is  updated  regularly  (every  3-5  years) . 

Thus,  the  Safety  Case  is  a  document  showing  the  adequacy  of  the  Safety  Management 
System  (SMS)  and  the  technical  measures  to  control  risks. 

Risk  assessments  will  not  be  useful  unless  the  results  are  implemented.  This  is 
not  restricted  to  implementing  the  design  recommendations  of  the  risk  assessment. 
In  addition,  it  is  desirable  to  follow  up  assumptions  made  in  the  risk 
assessment,  to  reassess  the  risk  if  operating  conditions  and/or  design  are 
altered,  and  to  follow  up  that  actual  performance  of  the  facility  is  at  least  as 
good  as  assumed  in  the  risk  assessment. 

The  SMS  is  obviously  a  part  of  a  company's  QA  system.     In  many  companies  and 
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countries,  the  SMS  should  therefore  comply  with  given  standards  (e.g.  for  the 
EEC,  ISO  Standard  9000)  and  be  subjected  to  regular  audits.  An  additional  safety 
case  documentation  may  therefore  be  unnecessary  in  some  cases. 

The  compliance  of  a  SMS  system  with  modern  QA  standards  may  also  affect  the 
answers  to  some  of  the  other  Theme  Questions.  Can  such  compliance  be  achieved 
without 

—  Objective    oriented    risk    criteria?        (How    do    we    otherwise  specify 
risk/safety  to  be  achieved?) 

—  Systematic    use    of    risk    assessment?        (How    do    we    otherwise  measure 
compliance  with  the  criteria?)  ^ 

—  Systematic  experience  retention,  e.g.  on  failures  and  accidents? 

—  Systematic  updating  of  the  risk  assessment? 

The  Working  Group  concluded: 

—  There  are  needs  for  Safety  Management  Systems. 

—  API  RP  750  provides  adequate  recommendations  for  such  management  systems. 

—  Preparation  of  a  safety  case  exactly  as  proposed  by  in  the  Cullen 
Report  is  not  deemed  generally  necessary. 

4.        What  Techniques  Should  be  Used  to  Identify  Hazards  in  Offshore  Production 
Facilities? 

Hazard  identification  is  the  first  step  of  the  risk  assessment  work  process. 
Oversights  in  this  step  will  lead  to  omissions  of  hazards.  This  step  is 
therefore  the  most  important  part  of  the  risk  assessment. 

No  technique  for  hazard  identification  can  substitute  experience  in  risk 
assessment,  other  safety  work,  and  design  and  operation  of  the  type  of  facility 
considered.  This  indicates  that  the  hazard  identification  will  have  to  be 
conducted  jointly  by  several  people  representing  diverse  experience,  e.g., 
design,  operations,  maintenance,  etc. 

Another  important  aspect  of  hazard  identification  (which  is  unrelated  to  the 
technique)  is  proper  definitions  and  subdivisions  of  the  facilities  and 
activities  being  studied.  No  hazard  should  be  omitted  because  a  part  of  a  system 
was  not  considered,  and  no  hazard  should  be  counted  twice. 

Typical  techniques  for  hazard  identification  are: 

—  HAZOP's  (the  most  commonly  used  technique). 

—  Use  of  checklists. 
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—  Failure  mode  and  effects  analysis. 

—  Search  for  possible  unwanted  energy  releases. 

None  of  these  techniques  guarantee  identification  of  all  relevant  hazards. 

The  guide  word-based  techniques  (HAZOP  and  use  of  checklists)  have  the  advantage 
that  it  is  easier  to  bring  designers,  operations  and  other  non-risk  analysts  into 
the  hazard  identification.  The  disadvantage  with  these  techniques  is  that  they 
are  developed/fitted  to  specific  types  of  facilities.  Radically  new  applications 
may  require  development  of  additional/new  guide  words.  If  this  is  not  realized, 
omissions  may  occur. 

The  Working  Group  concluded  that  it  would  be  possible  to  develop  special 
checklists  for  hazard  identification  for  most  offshore  production  facilities. 
This  is  due  to  the  similarities  (or  at  least  a  limited  range  of  variations)  found 
with  most  offshore  facilities.  This  checklist  could  be  supplemented  with  other 
techniques  as  needed. 

5.        What  Tools  Are  Best  Suited  to  Perform  Consequence  Analyses? 
The  consequence  analyses  may  be  subdivided  into  four  groups: 

a.  The  development  of  accident  scenarios,  e.g.  by  event  trees  or  cause- 
consequence  diagrams.  These  techniques  are  fairly  simple,  well— defined 
and  seem  to  be  adequate  for  typical  analyses  of  offshore  facilities. 

b.  Calculation  of  the  physical  effects  of  accidents.  A  large  number  of 
techniques  and  a  wide  range  of  technical  expertise  is  required  to  cover 
all  aspects  of  a  complete  set  of  platform  (or  even  a  topside)  consequence 
analyses . 

c.  Reliability/availability  analyses  of  devices  and  systems.  There  are  a  few 
well-defined  techniques  including:  Direct  failure  statistics  for  some 
equipment,  fault  tree  analysis,  or  reliability  block  diagrams. 

d.  Analysis  of  variance.  Due  to  the  large  number  of  variables  involved  and 
due  to  the  complicated  dependencies  in  the  various  parts  of  a  full 
consequence  analysis  model,  such  calculations  are  complicated. 

As  is  seen,  these  types  of  analyses  include  a  wide  variety  of  expertise.  Many 
structural  analyses  require  finite  element  capabilities,  which  are  also  used  for 
accurate  assessments  of  gas  spreading  inside  rooms.  It  is  therefore  doubtful 
that  the  risk  analyst  alone  should  decide  on  what  tools/techniques  are  to  be 
used.     What  could  be  discussed,  however,  are: 

—  The  use  of  standardized  values  for  parameters  included  in  the  various 
analyses . 

—  What  factors  should  be  included  in  the  various  types  of  calculations? 
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The  Working  Group  commented  that  there  are  many  inadequate  modeling  tools  in  use. 
In  particular  this  pertains  to  software.  The  Group  especially  discussed  gas 
dispersion  tools.  There  are  needs  for  some  sort  of  qualification  system  for  the 
tools  which  are  distributed  commercially  to  assist  users  in  their  selection  when 
new  tools  are  purchased. 

The  Working  Group  concluded  that  a  common  data  base  for  reliability  assessments 
would  be  beneficial.  The  data  base  should  cover  selected  equipment  which  is 
common  for  most  platforms  and  which  is  vital  for  safety.  Also,  there  are  needs 
for  better  data  on  the  reliability  of  human  interventions  and  reactions  in 
accidental  or  other  critical  situations. 

The  question  of  variance  was  not  discussed  in  detail. 

6.  Should  Frequencies  of  Incidents  be  Part  of  a  Risk  Assessment  or  a  Safety 
Case? 

There  is  hardly  any  risk  assessment  without  some  form  of  assessments  of  accident 
frequencies.  Such  assessments  are  made,  e.g.  to  exclude  from  further  evaluation 
hazards  due  to  low  risks.  These  assessments  may  or  may  not  be  explicit,  i.e. 
certain  accidents  have  such  a  low  probability  that  their  exclusion  can  be 
considered  trivial,  e.g.  meteorite  hits. 

Accident  frequency  adds  one  important  dimension  to  the  risk  picture.  Decisions 
without  this  dimension  will,  in  many  cases,  be  very  difficult,  e.g.  the  possible 
maximum  consequences  of  a  process  area  release  and  fire  may  be  similar  for  two 
platform  concepts,  but  the  probability  of  the  maximum  consequences  may  be 
different . 

Still,  there  are  problems  connected  to  expression  of  frequencies  or 
probabilities;  the  concept  of  an  annual  frequency  of  10"^,  or  once  every  10,000 
years,  tends  to  confuse.  How  can  one  trust  such  an  estimate  when  the  total  number 
of  platform  years  in  the  world  is  less  than  10,000?  The  answer  is  of  course  that 
this  frequency  is  for  a  combination  of  several  events,  each  event  with  a 
frequency  based  on  observations  from  actual  operations.  There  is,  however,  a 
threshold  frequency  level  below  which  one  should  consider  that  it  is  impossible 
to  maintain  a  complete  overview  of  all  possible  accidents. 

The  Working  Group  concluded  that  the  extent  to  which  a  risk  analysis  needs  be 
quantitative  will  depend  on  the  purpose  of  the  analysis.  If  the  risks  connected 
to  the  various  decision  alternatives  can  be  adequately  described  without 
assessing  accident  probabilities  in  detail,  the  analysis  need  not  be  quantified 
further.  The  Working  Group  was  not  necessarily  in  full  agreement  on  what  this 
means  in  practice,  i.e.  the  interpretation  of  what  constitutes  adequately 
described  risks  may  vary. 

7 .  What  Types  of  Risk  Acceptance  Criteria  Should  be  Used? 

It  is  assumed  that  risk  assessment  is  used  as  a  tool  to  provide  information  to 
decision  makers  about  the  risk  associated  with  different  decision  alternatives. 
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or  one  particular  design/set  of  activities.  What  should  be  their  criteria  for 
acceptance?     Some  observations  should  be  repeated  at  this  stage: 

—  Society  has  no  consistent  view  of  what  risk  levels  are  acceptable.  The 
risk  levels  tolerated  in  society  (for  risk  to  life)  vary  over  wide  ranges 
-  factors  of  10,000  can  be  observed.  Perceived  risk  is  often  determined 
more  by  public  (and  political)  reactions  to  risk  than  real  risk. 

—  The  maximum  risk  levels  tolerated  for  voluntary  risks  are  generally  much 
higher  than  for  non-voluntary  risks. 

Still,  there  are  limits  as  to  what  a  company  (and  society)  can  spend  on  safety. 
Therefore  there  are  needs  for  risk  acceptance  criteria  to  provide  the  basis  for 
a  rational  distribution  of  resources  for  reduction  of  risk.  There  are  major 
decisions  in,  e.g.  all  field  development  projects,  with  significant  impacts  on 
risk.  In  these  decisions,  there  is,  explicitly  or  implicitly,  always  a  decision 
to  tolerate  a  certain  risk  level.  To  which  extent  shall  there  be  specific 
criteria  for  the  decision  maker? 

There  are  examples  of  risk  acceptance  criteria  defined  by  authorities.  In  the 
offshore  industry,  the  Norwegian  Petroleum  Directorate  (NPD)  until  1990  used  to 
specify  maximum  allowable  probability  for  failure  of  defined  platform  safety 
functions.     The  functions  were: 

—  Integrity  of  the  main  support  structure  of  the  platform 

—  Integrity  of  escape  routes  at  the  platform  (at  least  one  from  each  area) 

—  Integrity  of  the  shelter  area  (i.e.  the  area  where  crew  will  shelter 
before  evacuation) 

The  integrity  should  be  maintained  for  periods  adequate  to  undertake  safe  escape 
and  evacuation  of  the  platform.  The  maximum  probability  for  failure  of  any 
safety  function  within  the  given  time  period  should  be  less  than  10"^  per  year 
for  any  type  of  accident  (nine  types  of  accidents  were  specified) .  NPD  does  now 
not  specify  the  maximum  allowable  risk,  but  requires  the  operator  to  provide  such 
a  specification. 

The  Cullen  Report  specifies  similar  requirements,  and  specifies  that  "the 
acceptance  standards  for  risk  and  endurance  time  should  be  set  before  submission 
of  the  Safety  Case".  As  far  as  we  have  been  informed,  the  U.K.  authorities  will 
themselves  specify  these  acceptance  standards. 

The  Canadian  regulations  are  similar  to  the  new  Norwegian  ones,  i.e.  the  operator 
is  required  to  specify  his  acceptance  criteria. 

There  are  examples  of  more  demanding  risk  acceptance  criteria  in  certain  parts 
of  California,  where  frequency-consequence  diagrams  are  used. 

Examples  show  that  the  formulation  of  risk  acceptance  criteria  can  pose  problems. 
The  criteria  should  be: 
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Realistic,  i.e.  achievable,  in  reality  this  means  reflecting  the  currently 
achieved  risk  levels. 


—  Challenging,   i.e.  secure  improvements  when  needed, 

—  It  is  also  desirable  that  the  criteria  secure  optimal  utilization  of  all 
kinds  of  technologies  and  measures. 

The  Working  Group  concluded  that  acceptance  criteria  should  preferably  be 
qualitative.  However,  in  cases  where  Quantified  Risk  analyses  had  to  be  used, 
the  criteria  should  be  in  the  form  of  maximum  allowable  probability  for  loss  of 
specified  safety  functions. 

8.       Should  Regulations,  including  Risk  Acceptance  Criteria,  be  Prescriptive  or 
Performance  Oriented? 

One  of  the  recommendations  in  the  Cullen  Report  is  that  "The  principal 
regulations  in  regard  to  offshore  safety  should  take  the  form  of  requiring  that 
stated  objectives  are  to  be  met  (referred  to  as  "goal-setting  regulations") 
rather  than  prescribing  that  detailed  measures  are  to  be  taken"  (Ref.  1,  pp.  390 
and  391) . 

Prescriptive  regulations  are  today  the  most  common.  Some  advantages  and 
disadvantages  are: 

Advantages  of  prescriptive  regulations: 

—  High  degree  of  predictability  as  to  what  will  be  accepted. 

—  Technically  easy  to  verify. 

—  Easy  to  understand  for  technically  qualified  personnel, 

—  Mostly  in  accordance  with  current  practice. 

—  Securing   a   fixed  basis    for  what   is   considered   the   principles   of  safe 
design  and  operation  based  on  years  of  experience. 

The  disadvantages  are: 

—  Normally  voluminous. 

—  Handling  of  new  technology  is  difficult. 

—  May  be  reactive  in  development,  i.e.  some  changes  are  based  on  experienced 
accidents . 

—  Requires  much  manpower  for  verification  and  updating. 


144 


It  should  be  noted  that  no  offshore  regulations  are  based  solely  on  performance 
oriented  regulations.  Considering  the  volume  of  regulations  and  recommendations 
as  well  as  the  practice,  they  are  all  basically  prescriptive,  some  with 
performance  oriented  regulations  in  addition. 

An  important  principle  included  in,  e.g.  the  rules  of  Det  norske  Veritas 
Classification,  is  the  "equivalent  safety  principle".  This  opens  for  deviation 
from  the  prescriptive  rules  if  it  can  be  proven  that  the  result  provides  the  same 
level  of  safety,  e.g.,  by  a  risk  analysis. 

The  Working  Group  concluded: 

—  Prescriptive  regulations  are  desirable  for  simple  platforms  in  well 
known  environments  such  as  the  Gulf  of  Mexico  where  a  lot  of 
previous  history  is  reflected  in  the  regulations. 

—  Performance  oriented  regulations  may  be  desirable  in  situations  or 
areas  where  the  situation  is  more  complex,  e.g.  with  larger,  more 
integrated  platforms  and  more  extreme  environmental  conditions. 

—  The  "Equivalent  Safety  Principle"  should  always  be  included. 

9 .  What  Additional  Resources  are  Desirable  to  Enhance  the  Process  Safety  of 
Offshore  Production  Facilities?  Which  Organization(s)  Should  Take  the 
Lead  in  Providing  the  Resources? 

The  Working  Group  concluded  on  the  following  list  of  needs  for  offshore 
production  facilities: 

1.        The  industry  should  cooperate  to  develop: 

a)  Risk  Management  and  Design  Guidelines  pertaining  to 

—  Hazard  identification, 

—  Fire  water  and  deluge  systems, 

—  Gas  detection,  fire  detection, 

—  Riser  locations, 

—  Layouts . 

b)  Failure  Rate  Data  Bases (s)  on 

—  Offshore  production  equipment,    about  25  different  types  of 
equipment , 

—  Human  "errors". 

c)  Structural  Design  Guidelines  for  accidental  loading  from  fire  or 
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explosion . 


d)  Exchange  of  accident  and  incident  data  for  production  facilities. 

e)  Better    quality    databases    covering    a   broader    range    of  accident 
severity. 

2.  Industry  and  agencies  should  cooperate  to  develop  and/or  accept  physical 
effects  models  and  corresponding  parameters  for  use  in  accident 
consequence  assessments. 

10,  Conclusions 

The  Working  Group  concluded  that  the  reliability  of  offshore  production 
facilities  may  be  enhanced  by  use  of  more  formal  risk  assessment  technologies. 
However,  preparation  of  a  safety  case  as  proposed  by  Lord  Cullen  for  use  in  the 
U.K.  offshore  was  not  deemed  necessary  nor  justified  for  facilities  that  are 
installed  in  the  open  atmosphere,  such  as  is  typical  for  the  Gulf  of  Mexico  or 
other  semi-tropical  or  tropical  regions.  The  likelihood  of  damaging 
overpressures  increases  as  the  number  of  enclosed  modules  increases.  Confinement 
within  modules,  density  of  obstacles  and  potential  sources  of  release  such  as 
process  equipment,  ventilation  conditions  and  ability  to  vent  explosions  are  all 
factors  that  influence  the  need  for  formal  risk  assessment.  In  general,  the 
benefits  of  risk  assessments  increase  as  the  mechanical  complexity  of  the 
facilities  increases.  The  fluids  handled  by  offshore  production  facilities 
(except  for  hydrogen  sulfide)  are  not  a  major  factor  in  applying  formal  risk 
assessment  since  crude  oil  and  natural  gas  are  considerably  less  hazardous  than 
the  fluids  handled  by  downstream  processing  facilities  such  as  refineries  or 
chemical  plants. 
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REPORT  OF  WORKING  GROUP  #5 


PIPELINES  AND  SUBSEA  SYSTEMS 


John  E,  Strutt 
and 

P.  St.  Jasper  Price 

1 .  Introduction 

This  report  simunarizes  discussions  and  conclusions  of  the  Working  Group  on  the 
reliability  of  subsea  systems  and  submarine  pipelines.  The  membership  of  the 
Working  Group  is  attached.  Discussion  papers  were  prepared  and  distributed  by  the 
co-chairmen.  These  outlined  the  state  of  the  practice,  problem  areas,  data 
acquisition  and  research  needs  and  opportunities  for  implementation  from  their 
respective  perspectives.  The  scope  of  the  discussion  papers  chosen  by  the 
co-chairmen  responded  to  conclusions  and  initiatives  recommended  in  the  reports 
from  the  1984  International  Workshop  on  "Application  of  Risk  Analysis  to  Offshore 
Oil  and  Gas  Operations"  held  at  the  National  Bureau  of  Standards. 

2 .  Scope 

The  objectives  set  for  Working  Group  #5  were  to  discuss  the  current  practice, 
progress,     and    future    directions    in    the    fields    of    risk    management  and 
safety/reliability  analysis  of  offshore  oil  and  gas  pipelines  and  subsea  systems. 
The  focus  of  the  Working  Group  initially  defined  by  the  co-chairmen  was: 

a.  To  discuss  the  current  state  of  practice  of  risk  and  reliability 
analysis  and  assess  whether  the  technology  was  at  a  sufficient  level 
for  the  subsea  industry  to  use  it  in  assessments  of  subsea  systems 
and  pipelines . 

b.  To  address  the  question  posed  at  the  1984  workshop  on  whether  a 
code(s)  of  practice  should  be  developed  to  support  the  application 
of  these  techniques  in  the  subsea  industry. 

c.  To  discuss  research  and  short  term  actions  needed  to  effectively 
implement  the  technology. 

The  initial  position  defined  by  the  co-chairmen  was  focused  primarily  on  the 
techniques  for  the  assessment  of  reliability  and  availability  of  subsea  systems; 
and  on  the  potential  needs,  benefits,  practicality  and  effectiveness  of  a 
comprehensive  code  of  practice  for  planning,  design,  construction,  operations  and 
maintenance,  monitoring  and  control,  inspection  and  rehabilitation  of  pipelines, 
appurtenances  and  subsea  systems.  Diving  and  inspection  equipment,  and 
intervention  systems  required  to  maintain  and  repair  subsea  systems  and 
pipelines  were  not  included  in  the  discussions.  At  an  early  stage  of  discussions 
within  the  Working  Group  it  became  evident  that  operations  would  also  need  to  be 
considered  and  the  scope  was  accordingly  increased. 


149 


Differing  practices  are  currently  relied  on  to  assess  risks  and  to  assess  the 
reliability  of  subsea  systems  and  submarine  pipelines  respectively.  Hence  the  two 
areas  were  discussed  separately  in  the  workshop.  Although  there  was  insufficient 
time  to  cover  both  pipeline  reliability  analysis  and  subsea  system  risk  analysis 
in  the  same  level  of  detail  the  discussions  were  reasonably  conclusive, 

3.       State  of  Practice 

There  appear  to  be  several  approaches  to  assess  risks  and  reliabilities  of  subsea 
systems  and  submarine  pipelines.  For  pipelines,  first  order  component  limit 
states  methodology  is  often  used  for  structural  design  purposes,  and  consistent 
higher  order  evaluation  of  system  structural  strength  condition  may  be  generally 
more  relevant  for  inspection  and  integrity  (risk)  assessment  of  operating 
systems.  On  the  other  hand,  a  component  based  systems  reliability/ availability 
approach  seems  to  be  generally  favored  for  subsea  systems. 

The  co-chairmen  reviewed  the  range  of  reliability  and  hazard  assessment  methods 
with  potential  example  applications  to  subsea  systems  and  to  pipelines  detailed 
in  the  appended  discussion  papers,  and  solicited  discussion  from  the  working 
group . 

3 . 1     Subsea  Systems 

3.1.1      Techniques  Discussed 

A  wide  range  of  Risk/Reliability  analysis  techniques  can  potentially  be  used  for 
the  assessment  of  subsea  systems.  Several  methods  were  discussed  by  the  work 
group  as  follows : 

(i)  Failure  mode  and  hazard  identification  techniques  including: 

—  Check  lists 

—  Failure  Modes  and  Effects  Criticality  Analysis  (FMECA) 

—  Hazard  and  Operability  Studies  (HAZOPs) 

(ii)  System  evaluation  methods  including: 

—  Fault  trees 

—  Event  trees 

—  Network  analysis 

—  Parts  counts/parts  stress  method 

—  Availability  modeling 

—  Dropped  object  risk  assessments 
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3.1.2     Techniques  Currently  in  Use 


The  most  common  techniques  in  use  for  the  assessment  of  subsea  systems  are 
failure  modes  and  effects  analysis  backed  up  in  some  instances  by  fault  tree 
analysis  or  event  tree  analysis  for  reliability  assessment. 

Availability  analysis  is  widely  used  for  the  assessment  of  a  subsea  system  and 
for  investigation  of  field  scenarios.  Computer  packages  such  as  MIRIAM  and  MAROS 
are  in  common  use  for  modeling  production  availability. 

Although  reliability  and  availability  studies  are  common  practice,  hazard 
analysis  techniques  appear  not  to  be  in  widespread  use  for  subsea  systems  and 
subsea  pipelines  at  this  time  (apparently  some  limited  hazard  analysis  work  has 
been  carried  out  by  operators  in  Norway  and  the  U.K.).  With  the  introduction  of 
new  safety  legislation  in  the  U.K.  the  use  of  these  techniques  is  likely  to 
increase. 

3 , 2  Pipelines 

3.2.1  Techniques  Discussed 

The  discussions  for  submarine  pipelines  were  initially  focused  on  the  application 
of  various  levels  of  structural  reliability  analysis  method  to  submarine  pipeline 
design  (a  priori  target  safety/reliability  planning) ;  and  on  consistent 
assessment  of  current  integrity  and  safety  of  existing  systems  from  surveillance 
of  actual  environmental  and  operational  loadings;  and  from  pipe  strength  and 
integrity  assessment  from  corrosion,  defect  and  structural  deformation  and 
stress/strain  inspection  data.  The  discussion  papers  were  intended  to  respond  to 
the  following  questions  posed  at  the  1984  Workshop: 

"The  primary  concern  of  the  standard-making  bodies  is  the  safety  and 
integrity  of  the  offshore  installations  and  the  protection  of  human  life  and  the 
environment.  If  more  sophisticated  approaches  to  risk  analysis  can  enhance  the 
chances  of  achieving  these  goals,  they  should  be  included  as  part  of  the  general 

formulation  of  the  standards,  codes,  and   practices  An  initiative  to  include 

more  sophisticated  or  structured  risk  analysis  in  industry  standards  or  to 
address  them  through  government  regulations  should  be  evaluated  against  such 
criteria  as:  is  it  needed,  is  it  beneficial,  is  it  accomplishable,  is  it  cost- 
effective?" 

The  purpose  of  the  discussions  included  testing  whether  the  answer  to  these 
questions  should  be  positive,  and  whether  to  push  reliability  in  a  structured 
code  formulation  further  toward  reality. 

3.2.2  Techniques  Currently  in  Use 

The  participants  felt  that  at  the  present  time  reliability  design  and  evaluation 
of  pipelines  was  not  common  in  U.S.  practice.  Industry  generally  relied  on  the 
ANSI/ASME  pipeline  design  standards  to  provide  a  safe  and  reliable  pipeline.  They 
felt  that  a  quantitative  value  for  pipeline  reliability  was  not  often  required 
and  any  doubts  about  the  condition  of  a  pipeline  were  handled  by  internal  and 
external  inspection.  Questions  on  how  to  specify  and  assess  data  from  inspection 
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equipment  were  not  resolved. 


4 .     Problem  Areas  and  Future  Directions 

4 . 1  Subsea  Systems  Hardware 

Two  principal  items:  namely,  data  deficiencies  and  modeling  deficiencies 
stimulated  dialogue.  The  discussion  on  data  deficiencies  covered  data  collection 
studies  and  reliability  prediction  studies.  The  discussions  on  modeling 
deficiencies  were  not  fruitful  owing  to  insufficient  time. 

4.1.1  Reliability  Data  Collection 

The  discussion  centered  on  the  need  for  a  data  base  to  support  reliability  and 
availability  studies.  The  principal  need  identified  was  for  definitive  failure 
rate  data  for  subsea  components.  The  discussions  did  not  define  the  level  of 
detail  that  would  be  required  for  the  component  reliability  data.  The  group  did 
not  perceive  a  need  for  component  reliability  dependency  information,  i.e., 
failure  causes,  partly  because  it  does  not  appear  to  be  useful  in  current 
practices  and  was  considered  to  be  difficult  to  obtain.  Reliability  data 
gathering  was  considered  to  be  a  primary  area  for  concentrated  effort. 

4.1.2  Reliability  Prediction  Studies 

Techniques  for  reliability  prediction  used  by  current  practices  at  a  systems 
level  were  considered  in  general  to  be  adequate  to  meet  most  industry 
requirements.  It  was  considered  not  possible  to  predict  the  reliability  of  a 
specific  component  in  a  particular  application  from  fundamental  principles  with 
any  degree  of  certainty,  and  development  of  techniques  for  the  prediction  of 
reliability  at  the  component  level  was  felt  to  be  impracticable  and  largely 
unnecessary  in  the  context  of  operators  needs  and  current  practices.  However, 
it  was  felt  that  methods  of  relating  specific  component  reliability  to  design, 
QA,  or  manufacturing  practice  for  novel  "on-off"  systems  would  be  of  use  to 
manufacturers  of  components  and  for  reliability  specifications.  Such  techniques, 
if  developed,  could  also  be  useful  to  operators  in  special  component  selection 
studies  in  which  reliability  comparisons  of  particular  component  types  supplied 
by  different  manufacturers  are  required. 

4 . 2  Pipelines 

Although  the  existing  standards  have  served  industry  well,  it  was  felt  by  some 
that  they  were  falling  behind  oil  industry  practices  and  are  deficient  in  a 
number  of  areas  :  ' 

a.  They  do  not  explicitly  deal  with  all  potential  structural  and  strength 
failure  modes  that  a  pipeline  might  suffer.  Particular  examples  discussed 
included  assessment  of  pipeline  integrity  and  pressure  containment  of 
corroded  and  otherwise  damaged  systems;  and  assessment  of  upheaval  buckling 
risks  in  the  North  Sea  and  Arctic. 

b.  They  rely  on  subjective  stress  safety  indices  and  do  not  explicitly  deal 
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with  quantification  of  component  or  system  reliability  (i.e.   real  safety 
with  consideration  of  damage/failure  consequences)  of  a  pipeline  section  or 
pipeline  system. 

c.      There  is  no  guidance  for  inspection  data  accuracy  and  how  inspection  data 
should  be  effectively  used  in  risk/reliability  assessments  for  maintenance 
and  rehabilitation  decisions  to  upgrade  specific  reliability  levels. (It  was 
emphasized  that  assumed  validity  of  standard  design  stress  indices  from 
current  standards  for  risk/reliability  assessments  of  existing  operating 
systems  is  not  generally  valid  for  real  safety  analysis  and  could 
potentially  lead  to  unnecessarily  costly  maintenance  or  derating 
requirements  of  aged,  corroded  and  otherwise  damaged  systems,  on  the  one 
hand;  and  sometimes  unconservative  design  requirements  on  the  other  hand.) 

The  reasons  for  these  deficiencies  may  be  that  techniques  for  the  quantification 
of  reliability  and  risks  of  existing  pipelines  are  not  well  established  or  widely 
used  for  submarine  pipelines,  or  for  less  sensitive  on-land  pipelines.  In 
availability  studies  of  subsea  systems  it  is  quite  common  to  assume  that  the 
pipeline  reliability  is  so  high  relative  to  the  components  of  the  subsea  system 
that  the  pipeline  system  can  be  excluded  from  the  analysis.  Whether  this  is  a 
reasonable  assumption  was  not  resolved. 

Failure  statistics  on  reportable  incidents  for  on-land  lines  are  collected  to 
help  identify  the  types  of  inspection  and  maintenance  measures  needed  to  reduce 
the  failure  risks  and  upgrade  existing  pipelines.  The  statistics  seem  to  support 
the  need  for  a  more  structured  and  rational  approach  both  for  economic  and  for 
real  safety  reasons.  Rationalization  of  pipeline  integrity  is  an  issue  that 
should  be  studied  for  all  systems,  whether  on-land,  marine  or  in  frontier  areas. 
Discussions  in  this  section  focused  primarily  on  whether  the  industry  was  ready 
at  this  time  to  make  the  transition  to  a  reliability  based  design  code  for 
pipelines.  The  group  had  insufficient  time  to  resolve  this  issue  but  in  the  co- 
chairmen's  view,  the  techniques  are  available  and  further  work  is  appropriate  to 
demonstrate  the  need  for,  and  the  approaches,  the  effectiveness  and  the 
usefulness  of  the  techniques. 

There  was  general  interest  in  use  of  rational  risk  and  reliability  assessment 
methods  for  existing  pipelines;  and  there  was  some  support  for  a  future  code  of 
practice  to  standardize  and  guide  the  industry,  with  the  pragmatic  constraint 
of  gradual  transition  and  development. 

4 . 3     Subsea  Operations 

Operating  practices  and  procedures  related  to  subsea  systems  and  pipelines  were 
discussed  briefly.  In  particular  the  need  for  and  benefits  of  dropped  objects 
risk  assessments  was  discussed.  Well  established  procedures  are  emerging  for 
assessing  the  risk  of  dropped  objects  but  there  appears  to  be  a  difference  in 
perceived  need  comparing  the  Gulf  of  Mexico  and  North  Sea  experience.  A  dropped 
objects  risk  assessment  is  more  often  required  in  the  North  Sea  sector  because 
of  the  rougher  seas  and  the  consequent  difficulties  of  transferring  and  handling 
objects . 

It  appears  that  the  main  thrust  for  the  development  of  a  code  of  practice  for 
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dropped  objects  risk  assessment  is  coming  from  companies  operating  in  the  North 
Sea  sector.  There  was  a  feeling  that  more  research  might  be  needed  for  developing 
more  realistic  models  for  trajectories  and  velocities  of  objects. 

4 . 4    Hazard  Assessment 

There  is  a  growing  demand  for  hazard  assessments  to  be  carried  out  on  offshore 
installations.  The  importance  of  this  was  recognized  by  the  Workshop  participants 
and  as  a  result  the  Workshop  objectives  were  modified  to  include  this  as  an 
agenda  item  for  discussion.  In  particular  the  workshop  discussed  whether  the 
techniques  are  sufficiently  advanced  for  industry  to  use  them  now  for  offshore 
system  assessments. 

HAZOP  (hazard  and  operability  studies)  and  HAZAN  (hazard  analysis)  techniques 
were  discussed  in  the  context  of  a  complete  development  systems  which  included 
subsea  system,  pipelines  and  topside  facilities.  There  is  a  genuine  need  for 
these  techniques  not  only  because  they  could  lead  to  cost  effective  designs  and 
rational  decisions  for  design  routing,  and  layout  of  equipment  and  pipelines,  but 
also  because  it  will  be  mandatory  soon  in  the  U.K.  sector  and  may  well  become 
mandatory  in  the  Gulf  of  Mexico  and  elsewhere. 

It  was  felt  that  the  techniques  of  hazard  analysis  were  well  established  in  the 
offshore  industry  and  in  general  the  techniques  were  applicable  to  subsea  systems 
and  pipelines.  Documented  guidance  such  as  a  code  of  practice  on  the  use  of  these 
techniques  was  seen  as  an  important  step  in  establishing  the  more  widespread  use 
of  the  techniques  and  in  standardizing  the  approaches  in  the  subsea  industry. 

5 .       Concluding  Remarks  —  Opportunities  for  Implementation  and  Application 

The  North  Sea  and  other  European  areas  have  experienced  numerous  subsea 
development  and  maintenance  activities  and  the  same  trend  is  expected  in  the  Gulf 
of  Mexico.  Subsea  technology  including  maintenance  and  rehabilitation  for 
consequence  control  and  prolonged  useful  life  is  improving  at  a  time  when  there 
are  increasing  requirements  for  safe,  reliable  and  pollution  free  operations.  The 
main  points  of  particular  interest  to  the  workshop  participants  seemed  to  be: 

a.  Reliability,  availability  and  hazard  assessment  tools  are  vitally  important 
for  effective  subsea  technology  implementation  and  application.  This 
importance  is  emphasized  by  the  need  to  improve  the  rationality  of  safety 
and  integrity  specifications  and  regulations;  and  the  capabilities  of  these 
tools  for  consistent  and  rational  balancing  of  tradeoffs  for  safety  and  cost 
effectiveness  and  extreme  hazard  or  event  probabilities. 

b.  Tools  needed  to  carry  out  reliability,  availability  and  hazard  analyses 
exist  but  there  are  no  standards,  guidelines  or  recommended  practices  to 
ensure  a  uniform  consistency  in  their  application  to  subsea  operations. 

c.  There  was  some  support  for  the  eventual  development  of  a  comprehensive 
reliability  based  code  of  practice  for  planning,  design,  construction, 
operations  and  maintenance,  monitoring  and  control,  inspection  and  integrity 
assessment  and  rehabilitation  of  submarine  pipelines,  appurtenances  and 
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subsea  systems  but  it  was  felt  that  in  practice  this  objective  could  not  be 
developed  in  the  short  term.  It  would  be  more  appropriate  to  phase  in  such 
a  code  of  practice  gradually  as  experience  is  gained  in  the  need,  benefits, 
utilization  and  effectiveness  of  reliability  methods;  and  an  effective  data 
base  is  developed. 

There  was  agreement  on  the  need  for  a  recommended  practice  including 
techniques  for  the  application  of  qualitative  and  quantitative  risk  and 
reliability  analysis  to  subsea  systems  and  pipelines. 

The  initial  scope  of  a  recommended  practice  identified  for  the  short  term 
included  recommended  practices,   reliability  and  event  data  requirements, 
and  recommended  data  sources  related  to  subsea  systems  for: 

HAZOPs 
FMECA 

Fault  Trees 
—      Availability  Analysis 

It  was  felt  that  API  in  cooperation  with  the  Mineral  Management  Service  may 
be  the  most  appropriate  bodies  to  generate  recommended  practices  and  future 
codes . 

Current  lack  of  a  generally  available  reliable  data  base  for  subsea 
operations  was  considered  a  major  obstacle  to  the  application  of  quantitative 
reliability  assessment  techniques.  Some  data  is  available  but  it  is  limited 
in  extent,  and  other  data  bases  are  restricted.  For  example,  OREDA  III  will 
include  some  reliability  data  for  subsea  systems  and  EXXON  have  made  some 
subsea  reliability  data  publicly  available. 

There  was  general  agreement  that  subsea  reliability  data  and  event  data  is 
sparse  and  it  is  recommended,   as  a  first  priority,   to  initiate  an 
international  joint  industry-government  program  on  reliability  and  event  data 
collection  for  subsea  components,  pipelines  and  systems. 
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REPORT  OF  WORKING  GROUP  #6 


DRILLING  OPERATIONS 

Adam  T.  Bourgoyne ,  Jr 
G.  V.  Lever 
and 
B.  Berry 

1 .  Introduction 

This  report  summarizes  the  results  of  deliberations  by  the  Working  Group  on 
Drilling  Operations  at  the  International  Workshop  on  Reliability  of  Offshore 
Operations,  March  1991. 

Offshore  oil  and  gas  operations  began  in  the  shallow  waters  of  the  Gulf  of 
Mexico.  From  this  beginning  in  the  1950 's  the  oil  and  gas  industry  has  gradually 
developed  the  capability  to  explore  in  water  depths  greater  than  7,000  ft. 
Drilling  contractors  now  operate  in  the  harshest  environments  in  the  world  and 
in  areas  containing  icebergs  or  covered  by  pack  ice  part  of  the  year.  For  the 
many  companies  involved  in  these  offshore  operations,  the  reliability  and  safety 
of  the  systems  used  has  been  and  continues  to  be  a  major  challenge.  Specialized 
groups  and  procedures  have  evolved  to  manage  these  operations. 

Because  of  their  complexity,  organizations  for  offshore  oil  and  gas  management 
have  historically  been  broken  into  the  two  main  areas  of  drilling  operations  and 
production  operations.  Oil  companies  handle  these  functions  at  the  field  level 
by  different  sub-organizational  groups.  This  division  of  responsibility  permits 
more  specialization  of  engineering  and  operations  expertise.  This  report  will 
consider  primarily  offshore  drilling  operations. 

Early  in  the  development  of  the  offshore  industry,  it  became  apparent  that 
economics  greatly  favored  the  use  a  mobile  offshore  drilling  unit  (MODU)  that  can 
move  easily  from  one  well  location  to  the  next.  As  industry  extended  the  search 
for  oil  and  gas  to  greater  water  depths,  drilling  contractors  developed  four 
distinct  types  of  MODU's.  Bottom  supported  MODU's  were  developed  for  exploring 
the  relatively  shallow  water  of  the  continental  shelves.  MODU's  that  can  operate 
while  floating  were  developed  to  explore  the  deeper  waters  of  the  continental 
slopes . 

The  bottom  supported  MODU's  include  Submersibles  and  Jack— up s .  Submersibles  can 
operate  in  water  depths  less  than  100  ft.  They  are  towed  to  a  well  location  and 
then  ballasted  to  rest  on  bottom.  Jack— ups  are  currently  the  most  common  type  of 
MODU  and  are  available  in  a  wide  variety  of  sizes  and  shapes.  Jack-ups  are  towed 
to  a  location  and  then  jacked  above  sea  level  on  long  legs.  The  largest  have  legs 
600  ft  in  length  and  are  capable  of  operating  in  water  depths  of  up  to  450  ft. 
Another  limitation  besides  water  depth  is  the  need  for  calm  seas  during  the 
jacking  process. 

For  water  depths  beyond  450  ft,  two  types  of  MODU's  are  available  that  can  drill 
while    floating.    The    semi-submersible    has    two    hulls    with   vertical  columns 
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connecting  them  to  the  main  deck.  The  hulls  are  ballasted  down  to  a  draft  of  60  - 
80  ft  for  drilling  operations.  The  large  mass  below  sea  level  produces  a  low 
motion  response  to  wave  forces.  The  drill  ship  is  a  ship-shaped  floating  drilling 
vessel  that  is  more  easily  moved  long  distances,  but  has  a  large  motion  response 
to  wave  forces  and  cannot  operate  in  rough  seas.  In  water  depths  less  than  about 
1500  ft,  floating  drilling  vessels  are  anchored  over  the  well  location.  For 
greater  water  depths,  dynamically  positioned  vessels  are  available  that  can  be 
held  on  location  during  drilling  operations  by  thrusters. 

Figure  1  shows  the  historical  MODU  population  since  1965  and  Table  1  shows  the 
1990  distribution  of  MODU's  by  geographic  area  and  by  rig  type.  The  mid  1990 
total  MODU  count  was  680.  Note  that  the  North  Sea  and  Gulf  of  Mexico  areas 
account  for  about  half  of  the  total.  Note  also  that  the  jack-up  design  accounts 
for  about  two-thirds  of  the  total  population.  MODU  reliability  is  especially 
important  in  areas  of  harsh  environment  such  as  the  North  Sea  that  can  make  a 
safe  rig  evacuation  much  more  difficult. 

"Reliability"  can  be  defined  as  the  probability  of  a  device  or  system  performing 
its  purpose  adequately  for  a  given  period  of  time  under  the  operating  conditions 
encountered.  For  well  defined  systems,  the  overall  reliability  can  be  calculated 
from  a  knowledge  of  the  reliability  of  each  component.  The  probability  of  a 
system  failure  (catastrophic  event)  is  one  minus  the  system  reliability.  "Risk" 
can  be  defined  as  the  product  of  the  probability  of  failure  and  the  consequence 
resulting  from  the  failure.  It  is  most  often  expressed  in  terms  of  lives  lost  or 
as  a  monetary  loss.  It  is  also  sometimes  expressed  in  terms  of  barrels  of  oil 
spilled  into  the  environment.  For  well  defined  systems  that  lend  themselves  to 
classical  reliability  analysis  methods,  risks  associated  with  alternative  designs 
can  be  evaluated.  Using  an  iterative  process,  the  statistical  relationship 
between  system  cost  and  reliability  can  be  estimated. 

In  this  report  the  current  practices  used  to  promote  a  safe  and  reliable  offshore 
drilling  operation  are  discussed.  Problem  areas  are  listed  and  research  needs  are 
recommended.  In  addition,  opportunities  for  implementation  and  application  of 
formal  reliability  analysis  methods  are  presented. 

2.       State  of  Practice 

Reliability  analysis  methods  are  not  routinely  used  in  drilling  operation.  In 
order  to  understand  their  potential  application,  let  us  first  review  the  basic 
concepts  used  in  this  type  of  analysis. 

2.1     Classical  Reliability  Analysis 

The  essential  components  of  a  classical  reliability  analysis  method  are  shown  in 
Figure  2.  The  first  step  in  the  process  is  to  completely  define  the  system  or 
alternative  procedures  being  evaluated.  The  second  step  is  to  identify  all 
possible  hazards  and  determine  their  causes  and  effects.  The  "hazards"  are 
substances,  situations,  or  events  that  have  the  potential  to  cause  harm  directly 
or  initiate  a  sequence  of  events  leading  to  harm.  The  "effects"  of  the  hazards 
are  determined  by  estimating  the  consequence  to  people,  the  environment,  and  the 
economic  resources  of  the  investors.  The  "causes"  of  the  hazards  are  the 
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1965  1970  1975  1980  1985  1990 

Year 

Figure  1  -  Population  of  Mobile  Offshore  Drilling  Units,  1965-90 


TYPE 

GULF  OF 
MEXICO 

NORTH 
SEA 

ASIA 

AFRICA 

OTHER 

TOTAL 

Jack-ups 

159 

49 

70 

71 

66 

415 

Semisubmersib  les 

37 

60 

20 

10 

44 

171 

Drillships 

3 

I 

L8 

36 

58 

Submersibles 

15 

I 

2 

18 

36 

TOTAL 

214 

1 10 

109 

83 

164 

680 

Table  1  -  International  Population  of  Mobile  Offshore  Drilling  Units,  1990 
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Figure  2  -  Reliability  Assessment  Procedure 
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combinations  of  system  component  failures  and/or  operator  errors  leading  to  the 
undesired  effects.  The  determination  of  the  causes  and  effects  can  be  either 
inductive  or  deductive.  The  inductive  process  starts  with  an  assumed  failure,  and 
the  possible  effects  are  identified.  The  deductive  process  starts  with  an  assumed 
effect  or  catastrophic  event,  and  the  possible  causes  are  identified.  The  third 
step  involves  assessing  the  risks  from  all  hazards.  This  step  requires  a 
knowledge  of  the  probability  of  the  various  causes  identified  in  the  previous 
step.  This  information  is  generally  sought  by  developing  a  detailed  data  base 
identifying  the  various  possible  modes  of  failure  of  each  component  and  the 
observed  frequency  rate  of  each  failure  mode.  Once  the  risks  are  assessed,  it  can 
be  determined  if  they  are  acceptable.  If  the  risks  are  determined  to  be  too  high, 
changes  are  made  and  the  analysis  is  repeated.  This  is  called  the  "iteration 
process"     and  characterizes  reliability  assessment  methodology. 

Although  all  reliability  analysis  methods  are  variations  of  the  classical 
approach  outlined  in  Figure  2,  there  are  many  variations  that  have  been 
developed.  The  most  common  variations  used  for  hazard  identification  include: 

1.  Preliminary  or  Gross  Hazard  Analysis,  ■ 

2.  Hazard  and  Operability  Studies  (HAZOP) , 

3.  Failure  Mode  and  Effect  Analysis  (FMEA) ,  and 

4.  Concept  Safety  Evaluation  (CSE) . 

The  most  common  variations  used  for  risk  assessment  include: 


1.  Event  Trees, 

2.  Fault  Trees, 

3.  Reliability  Diagrams, 

4.  Markov  Diagrams, 

5.  Monte  Carlo  Simulation,  and 

6.  Common  Cause  Analysis. 


A  detailed  description  of  these  reliability  analysis  methods  is  beyond  the  scope 
of  this  paper.  However,  a  brief  summary  description  of  each  technique  is  given 
in  Appendix  A.  Often  the  analysis  of  a  system  will  involve  the  use  of  more  than 
one  technique . 

In  order  to  understand  how  reliability  analysis  methods  can  be  applied  to 
offshore  drilling  operations,  it  is  important  to  understand  how  these  operations 
are  managed.  The  current  management  system  has  evolved  since  the  start  of 
offshore  drilling  in  1955. 

2.2    Management  of  Offshore  Drilling  Operations 

Offshore  drilling  operations  are  carried  out  using  a  very  complex  organization 
of  personnel  and  equipment.  Because  of  the  high  cost  of  offshore  drilling,  many 
highly  specialized  service  companies  have  evolved  to  assist  the  well  operator. 
The  drilling  contractor  provides  the  MODU  and  its  crew.  The  operator  also 
contracts  for  secondary  services  such  as  cementing,  drilling  fluids,  well 
logging,  helicopters,  and  supply-boats.  This  functional  sub-division  of 
equipment,  engineering,  and  operations  personnel  into  highly  specialized  units 
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tends  to  promote  a  high  level  of  efficiency  and  frees  the  operator  to  concentrate 
on  the  overall  coordination  of  the  drilling  operations. 

Although  a  large  amount  of  planning  takes  place  prior  to  initiating  a  new 
drilling  program,  the  overall  process  always  involves  many  poorly  defined 
geologic  variables  and  requires  frequent  decisions  to  be  made  while  the  work  is 
in  progress.  The  on-site  operator's  representative  is  a  key  person  in  this 
process.  However,  he  is  supported  by  many  specialists  and  managers  in  his  company 
and  in  the  service  companies  assisting  with  the  work. 

The  main  elements  of  the  approach  used  to  manage  offshore  drilling  operations  are 
illustrated  in  Figure  3.  Company  policies  play  a  central  role  in  defining 
equipment  standards  and  operating  procedures.  The  policies  are  defined  in  various 
Procedures  Guides,  Safety  Manuals,  and  Drilling  Operations  Manuals.  These 
documents  are  based  on  the  collective  experiences  of  the  operations  personnel, 
engineers,  and  managers  of  the  company.  The  process  used  to  maintain  these 
documents  is  somewhat  similar  to  the  iterative  process  shown  in  Figure  2,  except 
that  it  is  based  on  actual  experience  and  carried  out  by  large  organizations  over 
a  long  period  of  time.  Upper  management  often  sets  goals  and  targets  for  reducing 
the  frequency  of  accidents.  They  also  offer  incentive  programs  to  help  promote 
safety  awareness  among     field  personnel. 

Company  policy  is  based  on  input  from  many  sources.  When  an  offshore  drilling 
operation  moves  into  a  different  operating  environment  or  involves  the  use  of 
unproved  technology,  central  research  and  development  groups  and  technical 
support  groups  will  undertake  a  very  detailed  system  design  and  analysis. 
Technical  support  from  many  service  companies  is  commonly  part  of  this  effort. 
Reliability  analysis  methods  are  most  often  used  at  this  phase  of  the  operation. 
In  more  mature  operating  environments,  prior  experience  provides  valuable  input. 
Collective  experiences  from  many  sources  are  pooled  in  joint  industry  groups  such 
as  the  American  Petroleum  Institute  (API) ,  the  International  Association  of 
Drilling  Contractors  (lADC) ,  and  the  Offshore  Operators'  Committee  (OOC) .  API 
sets  standards  for  various  types  of  drilling  equipment  and  publishes  recommended 
practices.  Classification  societies  have  also  been  developed  to  provide 
standards  for  the  construction  and  maintenance  of  the  vessels.  The  first  rules 
for  MODU's  were  published  in  1968  by  the  American  Bureau  of  Shipping  (ABS). 
Government  regulations  also  provide  minimum  standards  to  insure  acceptable  policy 
is  followed  throughout  the  industry. 

The  greatest  problem  faced  in  controlling  risk  is  not  the  development  of  safe 
procedures,  but  the  consistent  implementation  of  these  procedures.  Considerable 
effort  must  be  continuously  directed  towards  personnel  training  to  insure  all 
field  personnel  are  kept  abreast  of  the  appropriate  policy  for  their  job 
functions.  This  is  accomplished  through  training  seminars,  safety  meetings,  and 
on-the-job  training.  These  activities  also  stimulate  discussion  among  employees 
about  hazard  recognition  and  occasionally  provide  feedback  to  engineering  and 
management  concerning  new  problems  or  a  need  for  procedural  changes.  Detailed 
emergency  procedures  are  developed  for  every  foreseeable  situation  that  might 
arise  while  implementing  the  well  plan.  Examples  include  well  control  procedures, 
diverter  procedures,  emergency  evacuation  plans,  and  special  procedures  for 
simultaneous  drilling  and  production  operations.  Drills  are  conducted  on  a 
regular  basis  to  insure  that  rig  personnel  have  learned  and  remem.ber  the  critical 
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Figure  3  -  Management  of  Risk  in  Offshore  Drilling  Operations 
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safety  procedures. 


Company  policy  of  drilling  contractors  provides  for  comprehensive  preventative 
maintenance  (PM)  programs  on  rig  equipment.  Large  rig  contractors  maintain  a  data 
base  of  MODU  equipment  components  and  their  failure  rates  to  assist  in  scheduling 
preventative  maintenance.  Regular  schedules  for  testing  of  safety  system 
components  are  also  followed.  In  many  areas,  government  regulations  specify  a 
minimum  test  frequency  for  well  control  equipment.  Records  from  the  PM  and  Test 
programs  can  provide  valuable  input  to  the  database  needed  for  reliability 
studies  of  critical  well  systems.  Overall  rig  reliability  is  high  with  most 
contractors  reporting  rig  shut-downs  for  equipment  repair  of  1  to  3  percent  of 
the  contract  time. 

Many  companies  now  have  special  groups  concerned  only  with  safety  and 
environmental  protection.  These  groups  often  conduct  field  inspection  programs 
to  insure  that  all  systems  are  up  to  standards.  Comprehensive  check  lists  are 
followed  when  a  field  audit  is  made  by  such  a  group.  In  many  areas,  regulatory 
authorities  also  conduct  periodic  inspections.  Different  government  agencies  are 
concerned  with  different  aspects  of  the  operation  and  each  may  have  their  own 
inspection  program.  The  MODU  is  inspected  periodically  for  marine  safety  by  its 
flag  state  to  maintain  its  registration.  International  conventions  have  been 
developed  by  the  International  Maritime  Organization  to  set  minimum  safety 
standards  for  maritime  vessels.  Two  conventions  that  apply  to  MODU's  are  "Safety 
of  Life  at  Sea"  (SOLAS)  and  the  "Load  Line  Convention."  Individual  countries  may 
supplement  these  requirements.  Some  countries  require  a  certificate  issued  by  one 
of  the  Classification  Societies  before  a  vessel  can  operate  in  their 
jurisdiction.  Inspection  results  can  also  provide  input  to  the  managers  deciding 
company  policy. 

When  problems  occur,  the  companies  involved  conduct  a  study  of  the  causes  to 
determine  if  any  changes  could  be  made  to  prevent  similar  occurrences  in  the 
future.  Accident  Reports,  Near  Miss  Reports,  Injury  Reports,  Spill  Reports,  and 
Fire  Reports  are  all  common  report  types  used  to  communicate  problems  throughout 
the  company's  organization.  In  most  countries,  a  Regulatory  Notification  Program 
must  also  be  followed.  Serious  accidents  are  also  investigated  by  government 
regulatory  agencies. 

The  importance  of  past  experience  in  the  current  management  approach  is 
illustrated  in  Figure  4,  which  shows  the  MODU  hazard  rate  history.  The  "hazard 
rate"  is  based  on  the  frequency  of  accidents  that  were  severe  enough  to  cause  the 
rig  to  have  to  be  repaired  before  it  could  resume  operations.  Note  that  the 
hazard  rate  has  decreased  dramatically  from  1.2  incidents  per  MODU  per  year  just 
after  offshore  drilling  began  (1955-57)  to  0.03  incidents  per  MODU  per  year 
duiing  the  1984-88  period.  While  the  most  dramatic  improvements  were  made  during 
the  first  decade  of  activity,  improvements  have  continued  to  the  current  time. 
Proponents  of  formal  risk  management  methods  argue  that  early  use  of  these 
methods  could  have  improved  this  learning  curve.  Figure  4  also  shows  that 
structural  failures  and  blowouts  were  the  hazards  accounting  for  most  of  the 
accidents. 
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MODU  Hazard  Rate 
(No.  of  Incidents  per  MODU  per  Year) 
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1955-57  1968-72  1973-77  1978-83  1984-88 
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Figure  4  -  Historical  Hazard  Rate  for  Mobile  Offshore  Drilling  Units,  1955-88 
(Incidents  Requiring  MODU  to  be  taken  out  of  Service) 
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2.3      Primary  Hazards 


The  greatest  hazards  affecting  offshore  drilling  operations  that  were  identified 
in  this  study  included: 

1.  damage  to  structures  (weather,  collisions,  etc.) 

2.  blowouts 

a.  deep,  high  pressure  hydrocarbons 

b.  shallow  gas 

3.  personal  injury  (rig  floor  accidents),  and 

4.  spills 

2.3.1  Damage  to  Structures  and  Blowouts 

Listed  in  Table  2  are  the  10  worst  accidents  (most  lives  lost) . suffered  by  the 
offshore  oil  and  gas  industry.  Note  that  eight  of  these  occurred  on  MODU's, 
although  the  Alexander  Kielland  was  being  used  as  a  personnel  accommodation  unit 
(Hotel).  Five  of  the  MODU's  listed  were  either  on  standby  due  to  severe  weather 
or  under  tow  at  the  time  of  the  accident.  Only  two  were  engaged  in  exploratory 
drilling  activities  at  the  time  of  the  accident  and  they  involved  loss  of  well 
control  (blowouts).  The  C.  P.  Baker,  which  was  the  only  case  listed  in  U.S. 
waters,  was  a  shallow  gas  blowout.  In  the  Gulf  of  Mexico,  about  one  well  in  900 
experiences  a  shallow  gas  flow. 

The  blowout  hazard  rate  for  MODU's  is  shown  in  Figure  5  for  several  time  periods. 
The  blowout  hazard  rate  decreased  dramatically  from  about  0.15  blowouts  per  MODU 
per  year  during  1955-57  to  about  0.006  blowouts  per  MODU  per  year  during  1984-88. 
The  slight  reversal  in  the  downward  trend  during  1978-83  occurred  in  a  period 
of  high  oil  prices,  rapidly  increasing  activity  and  shortages  of  experienced 
manpower . 

2.3.2  Personal  Injury 

The  reported  rate  of  personal  injury  for  offshore  drilling  operations  is  shown 
in  Figure  6.  The  rate  reported  in  1989  was  2.44  accidents  per  200,000  hr  in  U. 
S.  Waters  and  0.87  accidents  per  200,000  hr  outside  of  U.  S.  Waters.  For  a  2000- 
hr  work-year,  these  rates  correspond  to  a  personal  injury  risk  of  about  0.01-0.02 
injuries  per  worker  per  year.  It  was  not  determined  if  reporting  practices  were 
consistent  throughout  the  world.  Personnel  accident  statistics  are  usually  broken 
down  into  the  following  categories: 

1.  occupation  or  job  description, 

2.  part  of  body  injured, 

3.  accident  type, 

4.  equipment  being  used, 

5.  operation  in  progress,  and 

6.  location. 

Statistics  compiled  by  lADC  show  that  the  most  commonly  injured  worker  is  the 
roughneck;  the  most  common  injury  is  to  the  back;  the  most  common  location  is  the 
drill  floor;  and  accidents  most  commonly  occur  while  handling  drill  pipe  or  other 
tubulars  while  tripping  operations  are  in  progress.  This  justifies  continued 
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1  DATE 

NAME 

STRUCTURE  TYPE 

LOCATION 

ACTIVITY 

FATALITIES  | 

6/6/88 

Piper 
Alpha 

Fixed  (Steel) 

Scottish 
North  Sea 

Production 

167 

3/27/80 

Alexander 
Kielland 

S  emi  submersi  b  le 

Norwegian 
North  Sea 

Accommodation 

123 

3/11/89 

Seacrest 

Drillship 

Thailand 

Stand-by 
(Storm) 

91 

2/15/82 

Ocean 
Ranger 

Semisubmersible 

Newfoundland 

Stand-by 
(Storm) 

84 

10/26/83 

Glomar 
Java  Sea 

Drillship 

China 

Stand-by 
(Storm) 

81 

11/25/79 

Pohai2 

Jack-up 

China 

Under  Tow 

72 

8/16/84 

Enchova 
PCE-l 

Fixed  (Steel) 

Brazil 

Development 
DrilUng 

37 

6/30/64 

C.  P.  Baker 

Drillship 

Louisiana 

Exploratory 
Drilling 

22 

12/30/56 

Qatar  I 

Jack-up 

Qatar 

Dry  Tow 

20 

10/2/80 

Ron 
Tappmeyer 

Jack-up 

Saudi  Arabia 

Exploratory 
Drilhng 

19 

Table  2-Ten  Worst  Accidents  during  Offshore  Oil  and  Gas  Operations,  1955-88. 
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MODU  Blowout  Rate 
(No.  of  Incidents  per  MODU  per  Year) 


0.001 


1955-57 


1984-88 


Figure  5  -  Historical  Blowout  Rate  for  Mobile  Offshore  Drilling  Units,  1955-88 


MODU  Accident  Rate 
(No.  of  Incidents  per  200,000  Working  Hours) 
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Year 


Figure  6  -  Personal  Injury  Rate  on  Mobile  Offshore  Drilling  Units  (lADC 

Accident  Statistics) 
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emphasis  on  developing  more  automated  systems  for  the  drill  floor. 

Table  3  compares  the  fatal  accident  rate  (FAR)  for  U.K.  offshore  drilling 
operations  to  other  industrial  and  non-industrial  activities.  The  FAR  for 
offshore  drilling  in  the  U.K.  is  reported  to  be  20  fatalities  per  100  million 
working  hours.  Using  the  lADC  database,  the  FAR  for  offshore  workers  worldwide 
is  21  fatalities  per  100  million  working  hours.  For  a  2000-hr  work-year,  this 
corresponds  to  a  risk  of  0.0004  fatalities  per  worker  per  year. 

2.3.3  Spills 

Table  4  shows  the  top  13  oil  spills  from  offshore  drilling  operations.  All  of 
these  spills  resulted  from  blowouts.  The  total  oil  spills  associated  with 
drilling  operations  worldwide  while  drilling  53,000  wells  is  approximately  6 
million  barrels.  Assuming  that  one  drilling  unit  can  average  about  5  wells  per 
year  yields  an  apparent  risk  of  about  600  bbl  per  year  per  rig.  Over  80  percent 
of  this  oil  was  spilled  in  two  blowouts.  One  was  offshore  near  Mexico  and  the 
other  was  offshore  near  Dubai.  The  apparent  probability  of  a  spill  of  greater 
than  150,000  bbl  is  about  0.0001  per  well. 

2.3.4  Overall  Risk 

Shown  in  Figure  7  is  a  recently  published  estimate  (Bea,  1990)  of  the  overall 
risks  of  various  system  groups  as  of  1984.  Note  that  MODU's  fall  near  the 
author's  "marginally  acceptable"  line  and  covers  the  ranges  of  0.1-1.0  lives  per 
year  and  0.1  to  1.0  million  dollars  per  year.  The  estimated  risk  for  MODU's  was 
below  that  of  merchant  shipping  but  well  above  that  for  commercial  aviation.  This 
estimate  appears  to  be  in  approximate  (order  of  magnitude)  agreement  with  an 
apparent  value  from  recent  statistics  reported  to  the  Worldwide  Offshore  Accident 
Data  bank  (WOAD) .  During  the  32  month  period  of  1/1/88  to  8/31/90  there  were  115 
reported  fatalities  associated  with  33  accidents  to  MODU's.  For  an  average  annual 
rig  count  of  approximately  700,  the  apparent  annual  risk  for  this  period  was 
115/[ (2 . 5) (700) ]  or  0.07  fatalities  per  MODU  per  year.  During  this  same  period, 
the  estimated  total  monetary  loss  associated  with  these  33  accidents  was  432 
million  dollars  or  0.25  million  dollars  per  year. 

2.4    Current  Use  of  Reliability  Analysis 

The  overall  drilling  process  does  not  lend  itself  easily  to  classical  reliability 
analysis.  Use  of  formal  reliability  analysis  methods  are  generally  limited  to 
critical  operations  and  the  design  of  important  sub-systems  of  the  MODU.  Often 
these  sub-systems  are  designed  and  built  by  a  service  company  and  purchased  or 
leased  by  the  well  operator.  The  operator  will  take  a  lead  role  in  designing  new 
systems  primarily  when  they  are  needed  to  move  into  a  frontier  area  requiring  the 
use  of  unproved  technology.  Examples  of  offshore  drilling  sub-systems  and 
processes  that  have  been  studied  using  reliability  analysis  procedures  include: 

1.  escape  systems, 

2.  shelter  areas, 

3.  structure  response  to  wind  and  waves, 

4.  dynamic  positioning  and  vessel  mooring  systems, 

5.  diverter  systems 


169 


llNUUblKY 

FAR 

Chemical  Industry 

3.5 

Steel  Industry 
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8 
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Orisnore  Dnlung 

20 

t'lshing 

35 
35 

Coal  Mining 

40 

Construction 

67 

Table  3  -  Fatal  Accident  Rates  (FAR)  per  100  Million  Working  Hours  for 
Industrial  Activities  in  Great  Britain. 

OFFSHORE  AREA 

REPORTED 
SPILL  (BBLS) 

YEAR 

OPERATION  UNDERWAY 

Mexico 

3,000,000 

1979 

Exploratory  Drilling 

Dubai 

2,000,000 

1973 

Development  Drilling 

Iran 

480,000 

1983 

Production 

Mexico 

247,000 

1986 

Workover 

Nigeria 

200,000 

1980 

Development  Drilling 

Norway 

158,000 

1977 

Workover 

Iran 

100,000 

1980 

Development  Drilling 

CaUfomia 

77,000 

1969 

Development  Drilling 

Saudi  Arabia 

60,000 

1980 

Exploratory  DrilUng 

Mexico 

56,000 

1987 

Exploratory  Drilling 

Louisiana 

53,000 

1970 

Unknown 

Louisiana 

30,000 

1970 

Production 

Trinidad 

10,000 

1973 

Development  Drilling 

Table  4  -  Large  Oil  Spills  resulting  from  Offshore  Oil  Well  Blowouts 
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Figure  7  -  Historical  Relationship  of  Risks  and  Consequences  for  Engineered 

Structures  (After  Bea,  1990  ) 
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6.  blowout  preventer  control  systems, 

7.  ballast  control  systems, 

8.  pressure  vessels  and  piping  systems, 

9.  simultaneous  drilling  and  production  operations,  and 

10.  surface  well  testing  on  MODU's. 

Several  of  these  types  of  studies  have  been  documented  in  the  literature. 
(Ritchie  and  Van  Cleave,  1972;  Ingram  and  Dee,  1973;  Lewis  and  Ostebo,  1989; 
Moss,  1990;  Lindemann  and  Huse ,  1991;  Oillier,  Imrie,  andTalbott;  and  Pietersen 
and  Engelhard,  1991)  Most  of  the  published  work  has  been  done  by  consultants 
specializing  in  reliability  analysis  procedures. 

3 .  Problem  Areas 

Formal  reliability  analysis  methods  have  been  and  will  continue  to  be  one  of  the 
many  tools  for  managing  risks  in  offshore  oil  and  gas  operations.  However, 
quantitative  reliability  analysis  methods  for  offshore  drilling  operations  are 
hampered  by  difficulties  in  obtaining  accurate  failure  mode,  and  failure  rate  data 
for  the  many  components  in  a  given  system.  It  is  likewise  often  difficult  to 
obtain  an  accurate  probability  distribution  for  losses  resulting  from  a  system 
failure.  Failure  rates  are  often  affected  by  the  conditions  under  which  the 
component  was  operated  and  by  the  PM  program  followed.  The  operating  environment 
can  vary  from  well  to  well  and  the  PM  program  can  vary  from  company  to  company. 
Manufacturers  are  continually  modifying  their  products  in  attempts  to  improve 
reliability  or  reduce  costs.  Failure  rates  and  failure  modes  are  also  influenced 
by  human  errors  in  the  way  the  system  is  operated.  The  accurate  modeling  of  human 
error  in  reliability  analysis  becomes  increasingly  difficult  as  the  complexity 
of  the  system  increases  and  as  the  amount  of  interaction  required  for  system 
operation  increases.  All  of  these  factors  complicate  the  development  of  accurate 
reliability  databases.  A  quantitative  reliability  analysis  is  usually  possible 
only  for  relatively  simple,  highly  automated  sub-systems. 

3 . 1  Human  Error 

Detailed  studies  conducted  after  every  major  accident  invariably  determine  that 
errors  in  judgment  were  major  contributors  to  the  problems  that  occurred.  This 
justifies  continuing  and  intensifying  the  large  effort  being  made  in  the  area  of 
personnel  training.  Regulatory  requirements  now  specify  minimum  training 
requirements  for  most  offshore  drilling  job  descriptions.  Training  certification 
procedures  vary  from  country  to  country. 

3.2  Multiplicity  of  Regulatory  Agencies 

The  companies,  equipment,  and  personnel  involved  in  offshore  drilling  operations 
are  becoming  increasingly  mobile  and  international.  Certification,  training,  and 
other  regulatory  compliance  procedures  are  becoming  difficult  to  learn  and 
manage  due  to  the  growing  number  of  agencies  that  may  have  to  be  dealt  with  in 
a  short  period  of  time.  Some  of  these  agencies  have  overlapping  requirements. 
Internationally  recognized  standards  and  certificates  are  badly  needed. 
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4.     Research  Needs 


Four  general  areas  were  reconunended  to  be  given  a  high  priority  for  additional 
research.  These  included: 

1.  rig  automation,   especially  in  the  area  of  pipe  handling, 

2.  escape  and  evacuation  in  harsh  environments, 

3.  handling  shallow  gas  flows  (including  early  consideration  in  facility 
design) , 

4.  optimum  frequency  of  testing  subsea  blowout  preventer  equipment,  and 

5.  safety  margins  in  casing  programs. 

5 .     Opportunities  for  Implementation  and  Application 

Current  international  trends  show  an  increasing  emphasis  being  placed  on 
reliability  analysis  methods  by  regulatory  agencies  responsible  for  public  safety 
Issues  in  offshore  drilling  operations.  The  consensus  of  the  working  group  was 
that  a  routine  use  of  formal  reliability  analysis  mandated  by  government 
regulations  will  probably  be  of  minimal  benefit  in  improving  safety  of  routine 
offshore  drilling  operations  in  mature  operating  areas.  The  most  promising 
opportunities  for  implementation  and  application  of  formal  risk  analysis  continue 
to  be  in  evaluating  new  designs  and  concepts.  For  example,  all  of  the 
recommended  research  and  development  areas  listed  above  could  benefit  from  the 
use  of  reliability  analysis  methods. 

As  a  result  of  the  Piper  Alpha  Disaster,  the  Cullen  Report  (1990)  was  recently 
released.  Although  Piper  Alpha  was  a  production  operation,  some  of  the 
recommendations  of  this  report  are  pertinent  to  offshore  drilling  operations. 
This  report  recommends  that,  "  ...  no  mobile  installation  should  be  brought  into 
these  waters  . . .  unless  a  Safety  Case  in  respect  of  that  installation  has  been 
submitted  to  and  accepted  by  the  regulatory  body."  A  Safety  Case  is  required  to 
demonstrate  that: 

1.  the  safety  management  system  of  the  company  and  the  installation  are  adequate 
to  insure  that  the  design  and  the  operation  of  the  installation  are  safe, 

2.  that  major  hazards  and  risks  have  been  identified  and  appropriate  controls 
provided, 

3.  that  adequate  provision  is  made  for  ensuring,  in  the  event  of  a  major 
emergency,  a  temporary  safe  haven  and  a  safe  evacuation  and  rescue. 

Safety  Case  and  HAZOP  Plans  are  currently  being  formulated  for  several  MODU's  to 
meet  regulatory  requirements.  It  is  recommended  that  the  differences  and  benefits 
resulting  from  this  work  as  compared  to  existing  plans  and  methodology  be 
carefully  studied  and  the  results  of  this  study  published. 

Many  engineers  involved  in  offshore  oil  and  gas  operations  are  not  familiar  with 
the  various  reliability  analysis  techniques  available.  Additional  training 
opportunities  in  this  area  could  make  these  tools  available  to  a  much  larger 
group.  The  engineers  involved  routinely  in  solving  the  problems  of  the  offshore 
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drilling  industry  are  in  a  good  position  to  see  areas  where  these  tools  can  be 
effectively  applied. 
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Appendix  A 

Preliminary  or  Gross  Hazard  Analysis  -  A  Preliminary  Hazard  Analysis  is  usually 
the  first  step  in  the  reliability  assessment  procedure.  Check  lists  and  forms  are 
used  to  list  all  of  the  hazardous  materials,  situations,  events,  potential 
accidents,  and  potential  human  errors  that  can  be  identified.  Previous 
experiences  of  similar  installations  are  systematically  incorporated  into  the 
special  forms  of  check  lists  used.  The  last  step  of  the  procedure  is  to  define 
rules,  policy,  and  procedures  that  will  control  the  hazards  identified.  A 
distinction  is  sometimes  made  between  a  Gross  Hazard  Analysis  and  a  Preliminary 
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Hazard  Analysis  based  on  the  arrangement  of  items  on  the  forms.  The  preliminary 
analysis  is  Inductive,  starting  with  the  possible  causes  and  leading  to  the 
possible  losses.  The  Gross  Hazard  Analysis  in  deductive,  starting  with  the 
possible  losses  and  proceeding  to  their  causes.  Safety  manuals  and  MODU 
inspection  checklists  are  often  the  product  of  a  hazard  analysis. 

Hazard  and  Operability  Studies  (HAZOP)  -  Hazard  and  Operability  Studies  are  used 
to  identify  potential  types  of  accidents  that  can  be  traced  through  a  series  of 
events.  Possible  deviations  of  each  physical  parameter  are  considered  to 
determine  combinations  that  are  potentially  hazardous.  Often  the  HAZOP  approach 
will  be  undertaken  by  an  independent  safety  review  or  audit  group  that  has  no 
involvement  in  the  project  development.  In  other  cases,  the  HAZOP  team  will 
include  the  key  personnel  from  the  project  group. 

Failure  Mode  and  Effect  Analysis  -  The  Failure  Mode  and  Effect  Analysis  (FMEA) 
procedure  can  be  used  to  identify  how  the  system  under  consideration  works  and 
fails.  A  related  procedure,  called  the  Failure  Mode,  Effects,  and  Criticality 
Analysis  (FMECA) ,  is  used  to  identify  the  weakest  links  in  the  design.  These 
methods  are  inductive,  starting  with  all  of  the  possible  failure  modes  of  each 
system  component  and  proceeding  to  the  effects  or  consequences  of  these  failure 
modes.  The  final  step  involves  identifying  corrective  action  for  control  of  the 
hazards  identified.  These  methods  can  be  extremely  time  consuming  and  often  are 
not  practical  for  large  systems  with  substantial  redundancy.  They  are  more  useful 
for  analyzing  equipment  failures  than  for  situations  involving  possible  human 
actions,  which  can  be  more  difficult  to  forecast. 

Concept  Safety  Evaluation  -  Concept  Safety  Evaluations  have  as  their  main 
objective  the  determination  of  the  accidental  loads  that  the  safety  functions  of 
the  escapeways,  shelter  areas,  and  support  structure  should  be  able  to  withstand. 
The  accident  loads  are  called  the  Design  Accidental  Events  (DAE)  and  are 
expressed  in  terms  of  heat  loads,  explosion  overpressures,  and  impact  energies. 
The  evaluation  thus  defines  the  conditions  under  which  people  outside  the 
immediate  vicinity  of  a  fire  or  explosion  will  be  able  to  reach  the  shelter  area 
and  remain  safe  while  an  orderly  evacuation  is  taking  place. 

Event  Trees  -  Event  Trees  are  used  to  study  identified  hazards  in  more  detail. 
The  starting  point  of  an  event  tree  is  the  initiating  event  or  failure  that  can 
be  traced  through  the  system.  Each  operation  or  system  leads  to  two  paths  of 
known  probability  (success  or  failure) .  The  failure  path  of  each  branch  proceeds 
to  the  next  back— up  device,  and  composite  probabilities  are  calculated.  Failure 
paths  are  then  studied  in  more  detail  using  a  Fault  Tree. 

Fault  Trees  -  Fault  Trees  are  similar  to  Event  Trees  except  that  they  are 
deductive  rather  than  inductive.  Thus,  the  undesirable  event  is  the  starting 
point  of  a  fault  tree.  The  cause  of  the  event  is  identified,  and  this  is 
considered  an  event  for  subsequent  cause  evaluation.  When  an  intermediate  event 
is  caused  by  several  simultaneous  events,  they  are  linked  by  an  "or"  gate  symbol. 
This  process  is  repeated  until  all  of  the  possible  root  causes  are  determined. 
By  using  Boolean  algebra,  it  is  possible  to  find  all  combinations  of  basic  events 
that  will  lead  to  the  top  event.  Single  basic  events  that  will  lead  to  the  top 
events  are  called  first  order  failures.  When  two  basic  events  are  required,  they 
are    called    second   order    failures,    etc.    When   failure    probability    data  are 
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available  on  each  component,   composite  probabilities  can  be  calculated. 

Reliability  Diagrams  -  Reliability  Diagrams  are  used  to  graphically  represent  all 
possible  combinations  that  can  cause  a  given  failure  mode.  Thus,  they  are 
somewhat  similar  to  Fault  Trees  but  are  usually  used  in  a  qualitative  manner. 
Generally  each  component  is  considered  to  have  two  states  (good  or  failed) ,  and 
each  component  is  represented  graphically  as  a  switch  (open  for  failed) .  In 
order  to  find  the  combination  of  events  leading  to  system  failure,  the  diagram 
is  studied  to  determine  the  combination  of  open  switches  that  will  result  in  an 
open  composite  circuit.  When  a  combination  of  open  switches  that  will  cause 
system  failure  is  identified,  they  are  called  a  "cut-set."  When  all  of  the  open 
switches  are  necessary  to  cause  failure,  the  cut-set  is  said  to  be  "minimal." 
Similarly,  a  combination  of  closed  switches  that  will  prevent  system  failure  is 
called  a  "tie— set,"  and  the  minimal  number  of  closed  switches  to  prevent  failure 
is  called  the  "minimal  tie-set."  - 

Markov  Diagrams  —  Markov  Analysis  is  a  procedure  that  can  be  employed  when  it  is 
necessary  to  define  component  failure  as  a  function  of  time.  It  allows  for 
change  of  state  of  each  component  with  time  and  requires  a  knowledge  of  both 
failure  rate  and  repair  rate.  Markov  Analysis  is  extremely  complex,  practical 
only  on  a  high  speed  computer,  and,  in  general,  only  applied  for  limited  systems 
with  a  high  maintenance  requirement  in  order  to  prioritize  maintenance  work. 

Monte  Carlo  Simulations  -  The  Monte  Carlo  simulation  method  is  a  general 
technique  that  can  be  applied  to  determine  the  probability  of  different  modes  of 
failure  of  a  complex  system.  Frequency  diagrams  for  the  various  possible  states 
of  each  component  are  defined.  Also,  the  range  of  possible  physical  values  of 
each  parameter  in  the  system  (such  as  pressures,  flow  rates,  etc.)  can  also 
be  defined  in  terms  of  a  probability  or  frequency  distribution.  The  probable 
state  of  each  component  and  physical  parameter  is  then  simulated  through  the  use 
of  random  number  generators  or  tables.  By  running  a  large  number  of  simulations 
on  a  computer  (perhaps  as  many  as  100,000),  a  sample  of  possible  events  is 
obtained  that  can  be  used  statistically  to  determine  the  composite  events  that 
are  most  likely  to  occur  at  their  corresponding  probability. 

Common  Cause  Analysis  -  The  Common  Cause  Analysis  method  is  used  to  correlate 
events.  The  probability  of  a  second  order  failure  will  be  greater  if  the  two 
basic  events  required  for  system  failure  have  a  common  cause.  Also,  redundancy 
systems  cannot  be  depended  upon  if  they  have  a  common  failure  cause  with  the 
primary  system.  Common  mode  failures  can  arise  on  a  redundancy  system  as  a 
result  of  either  poor  design  or  improper  installation.  A  common  cause  failure 
search  is  very  difficult  to  conduct,  generally  requiring  considerable  experience 
and  judgment. 
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OFFSHORE  ACCIDENTS  -  LESSONS  TO  BE  LEARNED 


Robert  C.  Visser 
Belmar  Engineering,  Redondo  Beach,  CA 

ABSTRACT 

Major  offshore  accidents  receive  a  large  amount  of  publicity  and  are  instrumental 
in  enacting  new  and/or  revised  industry  standards  and  governmental  regulations. 
The  paper  discusses  major  accidents  that  have  occurred  during  the  past  two 
decades  and  the  effect  that  these  accidents  have  had  on  improving  the  reliability 
of  offshore  operations.  The  paper  also  discusses  the  importance  of  analyzing 
minor  accidents  that  are  not  in  the  news  through  the  use  of  databanks. 

1.  Introduction 

1.1  Scope 

This  discussion  on  offshore  accidents,  and  what  has  been  learned  from  them, 
relates  to  operations  involving  fixed  offshore  platforms  and  facilities.  Acci- 
dents involving  mobile  offshore  drilling  units  are  outside  the  scope  of  this 
paper . 

1 . 2  Background 

Until  the  late  1960 's  the  integrity  of  the  design  and  operational  safety  of  off- 
shore platforms  was  largely  the  responsibility  of  the  owner— operators  who  used 
a  variety  of  industry  and  in-house  standards.  Industry  structural  design 
standards  were  first  introduced  following  the  disastrous  1964  and  1965  Hilda  and 
Betsy  hurricanes  during  which  23  platforms  were  destroyed.  These  incidents 
received  little  publicity  outside  the  industry  because  no  lives  were  lost  and 
little  pollution  occurred. 

This  was  not  the  case,  however,  with  two  high  visibility  accidents  that  occurred 
in  1969  and  1970.  The  Dos  Cuadras  platform  A  blowout  offshore  California  in  the 
Santa  Barbara  Channel  and  the  Bay  Marchand  platform  B  fire  in  the  Gulf  of  Mexico, 
focused  the  attention  of  the  news  media,  and  thus  the  public,  on  the  real  and 
perceived  hazards  of  qff  shore  production  operations .  •'^•^ 

The  offshore  industry  has  not  been  the  same  since.  These  accidents  resulted  in 
stricter  regulations  and  a  much  greater  involvement  by  governmental  agencies. 
The  indirect  consequences  of  the  Santa  Barbara  accident  on  offshore  California 
development  are  being  felt  to  this  date  through  drilling  moratoriums  and  missed 
development  opportunities. 

Accidents  in  the  North  Sea,  both  offshore  Norway  and  the  United  Kingdom,  created 
a  next  level  of  government  involvement  through  requirements  for  the  platform 
operator  to  perform  detailed  platform  and  risk  management  safety  analyses. 
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There  is  thus  an  ongoing  trend  by  regulatory  agencies  to  require  that  the  design 
of  an  offshore  platform  and  facility  be  based  on  a  reliability  analysis.  The 
Norwegian  Petroleum  Directorate  has  adopted  this  methodology  in  their 
regulations.'^  The  Cullen  report,  adopted  in  its  entirety  by  the  British  gov- 
ernment, recommends  the  use  of  Formal  Safety  Assessments.^  In  the  United  States 
there  is  considerable  hesitancy  to  adopt  the  use  of  reliability  methods  because 
of  difficulties  encountered  by  the  nuclear  power  industry  when  it  adopted  the 
reliability  analysis  concept.  It  is  recognized,  however,  that  the  method  is 
useful  for  specific  applications,  such  as  an  evaluation  or  re-evaluation  of  a 
platform  operation.  ^'^ 

2.  Accident  Databanks 

For  designers  and  regulators  alike  it  is,  therefore,  of  importance  to  know  what 
causes  offshore  accidents.  Determination  of  the  causes  of  offshore  accidents, 
the  probability  of  occurrence  and  their  potential  impact  requires  an  accurate 
database  of  offshore  accidents  covering  a  number  of  years. 

Offshore  accidents  have  been  compiled  in  databanks  by  several  organizations.  The 
Institute  Francais  du  Petrole  database  contains  a  listing  of  some  850  accidents 
on  fixed  platforms  and  mobile  drilling  units.  The  World  Offshore  Accident 

Database  (WOAD)  compiled  by  Veritec  contains  some  1800  accident  and  4000  incident 
entries. The  Offshore  Reliability  Data  (OREDA)  handbook  provides  statistical 
information  on  the  failure  rate  of  specific  equipment  items. -"^^  The  Mineral 
Management  Service  database  contains  all  reported  accidents  in  the  United  States 
federal  waters  from  1965  to  1986. 

None  of  these  databases  are  complete  or  even  accurate  and  interpretation  of  the 
data  requires  judicious  and  knowledgeable  analysis.  The  frequency  of  accidents 
may  be  particularly  misleading  because  during  the  earlier  years  of  data  gathering 
minor  incidents  were  not  reported.  The  databanks  do,  however,  provide  a  valuable 
tool  to  analyze  the  frequency  and  magnitude  of  potential  accidents  and  determine 
an  acceptable  safety  level. 

3 .  Offshore  Accidents 
3.1  Hazards 

The  principal  hazards  that  may  result  in  a  loss  of,  or  damage  to,  an  offshore  oil 
and  gas  installation  are: 

**  Platform  collapse  due  to  storms,  earthquakes,  foundation 

failure,  corrosion  or  collision, 
9  Blowouts  during  well  drilling  or  well  workovers, 

°  Fires  and/or  explosions  due  to  process  upsets  or  equip- 

ment failure. 
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3.2  Causes 

The  causes  for  all  offshore  accidents  can  be  grouped  into  one  or  more  of  the 
following  categories: 

°  Human  error, 

°  Inadequate  maintenance , 

°  Underdesign  of  platform  or  facility, 

Simultaneous  operations, 
°  Collision. 


Of  these,  the  human  error  factor  is  by  far  the  predominant  cause  of  accidents. 
The  WOAD  databank  reports  that  some  70  percent  of  all  accidents  are  caused  by 
hximan  error.  Of  course,  many  accidents  classified  as  human  error  also  belong 
in  one  of  the  other  categories.  A  further  breakdown  of  human  error  into 
categories  such  as,  inadequate  procedure,  communication  error,  violation  of 
procedure,  etc.,  is  recommended  in  the  companion  paper  at  this  session  dealing 
with  data  collection  methods  for  hydrocarbon  leaks .  ^'^ 

3 . 3  Consequences 

The  consequences  of  an  offshore  accident  include: 

°  Death  and/or  injury  to  personnel, 

**  Loss  of,  or  damage  to,  platform  and  facilities, 

**  Pollution  and  associated  clean-up  costs, 

°  Loss  of  production  income, 

°  Loss     of     reserves,      the     capital     assets     of  the 

owner— operator . 


As  noted  earlier,  these  losses  may  far  transcend  the  direct  financial  loss  from 
the  accident  if  it  results  in  new,  more  restrictive,  regulations  or,  worse,  in 
precluding  opportunities  for  further  development. 

It  is  estimated,  for  instance,  that  as  a  result  of  the  Cullen  report 
recommendations  as  many  as  ten  percent  of  the  remaining  undeveloped  United 
Kingdom  offshore  fields  may  no  longer  be  commercial  because  of  increased 
development  costs. 

3.4      Risk  Management 

Corrective  and  preventive  measures  to  reduce  the  risk  of  an  accident  form  the 
basis  of  all  governmental  and  industry  regulations  and  standards.  These  measures 
include : 

°  Training    and/or    qualifying    operating    and  drilling 

personnel, 
"  Inspection  and  maintenance, 

°         Design  requirements  and  verification, 
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Prohibition  of  certain  operations. 

Revisions  to  offshore  regulations  are  to  a  large  extent  reactive.  In  other 
words,  a  specific  accident,  such  as  the  Piper  Alpha  accident,  will  focus  atten- 
tion upon  a  specific  hazard  and  regulations  are  then  promulgated  to  reduce  the 
possibility  of  that  particular  hazard  from  occurring  again. 

Because  of  public  involvement  in  these  decisions  the  actual  risk  of  a  particular 
failure  occurring  is  often  ignored. 

4.        Major  Accidents 

Major  accidents  are  defined  for  this  discussion  as  those  accidents  that  had  a 
profound  effect  on  the  way  we  do  business.  In  other  words  those-  accidents  that 
resulted  in  new  or  revised  regulations  and/or  industry  standards. 

The  six  incidents  that,   in  the  author's  opinion,  had  the  greatest  impact  are: 

1.  Platform  failures  during  hurricanes  Hilda  and  Betsy, 

2.  Dos  Cuadras  platform  A  blowout  in  the  Santa  Barbara  Channel, 

3.  Bay  Marchand  platform  B  fire  in  the  Gulf  of  Mexico, 

4.  Ekofisk  platform  Bravo  blowout  in  the  North  Sea, 

5.  Alexander  L.   Kielland  capsizing  at  the  Edda  platform  in  the  North  Sea, 

6.  Piper  Alpha  explosion  and  fire  in  the  North  Sea. 

Details  of  each  of  these  accidents  are  described  in  the  following.  A  summary  of 
the  accidents  is  presented  in  Table  1. 

4.1      Platform  Structural  Failures 

During  hurricanes  Hilda  (1964)  and  Betsy  (1965)  twenty-three  platforms  out  of  a 
then  total  population  of  about  1000  platforms  in  the  Gulf  of  Mexico  either 
collapsed  or  were  damaged  to  the  point  that  they  were  no  longer  useable. The 
majority  of  the  failures  were  attributed  to  structural  underdesign.  There  were 
no  injuries  and  no  lives  were  lost.  An  unknown  amount  of  pollution  occurred  but 
this  was  not  of  public  concern  in  1964  and  1965. 

The  commonly  used  design  criteria  at  that  time  was  a  25  year  storm,  equal  to  the 
anticipated  economic  life  of  the  field.  As  a  result  of  these  failures  the  storm 
design  criteria  was  replaced  with  a  more  conservative  100  year  storm.  At  the 
same  time  the  offshore  industry  recognized  that  a  more  uniform  offshore  design 
guide  was  required,  leading  to  the  formation  of  the  API  RP  2A  committee  and  the 
subsequent  issuance  in  1969  of  the  first  offshore  platform  design  guideline. 
Over  the  years  this  document  has  evolved  from  a  rather  simple  set  of  guidelines 
to  a  detailed  design  manual  covering  all  aspects  of  structural  design  in  various 
locations  around  the  United  States.  The  current  issue  was  published  in  September 
1989.  It  is  153  pages  long.  By  comparison  the  first  edition  in  1969  totaled  15 
pages. 

The  success  of  this  industry  effort  is  illustrated  on  Figure  1,    The  annual  fail- 
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ure  rate  Pf  has  decreased  from  an  average  of  38  x  10"''  during  the  1963  to  1968 
period  to  an  average  of  less  than  2  x  10~*  during  the  most  recent  1983  to  1988 
period. 

4 . 2  Dos  Cuadras  Platform  A  Blowout 

The  now  infamous  Platform  A  blowout  in  federal  waters  of  the  Santa  Barbara 
Channel  in  January  1969  occurred  during  the  drilling  of  the  fifth  development 
well  from  the  platform  and  was  caused  by  an  inadequate  conductor  and  surface 
casing  design.  Although  the  blowout  equipment  was  successful  in  controlling  the 
blowout,  the  well  subsequently  blew  out  next  to  the  platform  through  near  surface 
fractures.  There  were  no  injuries  or  fatalities.  A  portion  of  the  estimated 
70,000  barrel  oil  spill  reached  the  coast  and  created  immense  public  uproar  and 
media  attention.  ... 

The  accident  would  not  have  occurred  if  conventional  casing  design  and  setting 
depth  had  been  used.  Following  the  incident  the  Mineral  Management  Service 
substantially  revised  its  DCS  orders  to  strengthen  the  requirements  for  drilling 
procedures  and  include  requirements  for  near  surface  seismic  surveys  to  assist 
in  the  design  of  casing  setting  depth. The  OCS  orders  were  superseded  in  1988 
by  the  currently  used  general  rules  and  regulations. 

4.3  Bay  Marchand  Platform  B 

The  Bay  Marchand  Platform  B  platform  (usually  referred  to  as  South  Timbalier 
Block  26  in  the  databanks)  was  a  typical  Gulf  of  Mexico  structure  with  space  for 
36  wells  and  located  in  55  feet  of  water.  At  the  time  of  the  accident  in 
December  1970  twenty-two  wells  had  been  completed  and  were  producing  17,500 
barrels  of  oil  per  day.  Two  drilling  rigs  were  drilling  additional  development 
wells.  A  wireline  unit  was  installed  on  one  well  to  remove  obstructions  from  the 
tubing.  The  safety  valve  had  been  removed.  During  a  coffee  break  of  the 
wireline  crew  the  well  started  flowing  past  the  incompletely  closed  master  valve 
and  caught  on  fire. 

The  heat  from  the  fire  damaged  other  wellheads  and  ultimately  eleven  wells  were 
on  fire.  The  platform  was  totally  destroyed  and  it  took  136  days  and  ten  relief 
wells  to  kill  the  fire.  Of  the  60  men  aboard  there  were  four  fatalities  and  37 
injuries.     Most  of  the  oil  that  was  spilled  burned.     None  reached  the  beach. 

The  cause  of  the  accident  was  attributed  to  the  fact  that  several  simultaneous 
operations,  i.e.  drilling,  production  and  wireline  operations,  were  ongoing 
without  clear  responsibility  directives.  A  major  contributing  cause  to  the  ex- 
tent of  the  accident  was  that  most  of  the  subsurface  controlled  subsurface  safety 
valves  (storm  chokes)  leaked  or  failed. 

As  a  result  of  this  incident,  and  others  in  the  same  time  period,  the  Mineral 
Management  Service  substantially  expanded  it  platform  inspection  and  compliance 
program. Additionally,  much  more  stringent  OCS  orders  were  issued  which 
included  restrictions  on  simultaneous  operations.  The  use  of  surface  controlled 
subsurface  safety  valves  became  mandatory . -^^ 
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4.4      Ekofisk  Platform  Bravo 


In  April  1977  a  blowout  occurred  on  the  Bravo  platform  in  the  Ekofisk  field.  The 
blowout  did  not  result  in  any  loss  of  life  or  injuries  or  fire  but  did  cause  a 
large  spill.  The  blowout  occurred  during  a  well  workover  and  was  ascribed  to 
human  error.  A  contributing  cause  to  the  accident  was  attributed  to  simultaneous 
operations,  i.e.  concurrent  drilling  and  production  operations.  The  blowout 
received  extensive  worldwide  press  coverage. 

Following  this  accident  the  Norwegian  Petroleum  Directorate  issued  guidelines  for 
simultaneous  operations  which  introduced  specific  restrictions  and  required 
specific  approval  before  such  operations  could  be  conducted. 

4.5  Alexander  L.  Kielland  Accommodation  Platform 

In  March  1980  the  Alexander  L.  Kielland  floating  accommodation  platform  moored 
adjacent  to  the  Edda  platform  in  the  Edda  field  capsized  during  a  storm  resulting 
in  a  loss  of  123  lives.  The  accident  was  subsequently  attributed  by  the  inquiry 
commission  to  the  rupture  of  a  strut.  The  rupture  was  initiated  by  fatigue 
cracking  at  an  inadequately  welded  collar. 

The  Kielland  accident  initiated  substantial  revisions  of  the  Norwegian  regula- 
tions. Considerable  emphasis  was  placed  on  establishing  a  unified  safety 
standard  for  mobile  units  and  fixed  platforms  and  a  more  coordinated  control 
system  based  on  the  principle  of  internal  control. 

At  the  same  time  guidelines  for  Concept  Safety  Evaluation  (CSE)  of  the  platform 
design  were  promulgated  by  the  Norwegian  Petroleum  Directorate.  These  guidelines 
required  that  the  design  be  evaluated  for  potential  accidents  and  that  impairment 
frequency  be  at  an  acceptable  low  level. 

4.6  Piper  Alpha  Disaster 

The  Piper  Alpha  accident  occurred  in  July  1988  and  resulted  in  the  total  de- 
struction of  the  platform.  Of  the  226  persons  on  board  the  platform  165  lost 
their  lives.     Two  rescue  workers  also  were  killed. 

The  initiation  of  the  accident  was  attributed  to  poor  communication  between 
shifts  of  the  platform  operators.  As  a  result  an  inoperative  condensate  pump, 
from  which  the  pressure  safety  valve  had  been  removed,  was  started  up.  The 
escaping  gas  ignited  and  started  off  a  chain  of  explosions  which  resulted  in 
extensive  damage  to  vital  platform  systems.  This  included  the  platform  internal 
communication  system  making  it  impossible  to  issue  an  order  to  evacuate. 

Approximately  20  minutes  after  the  first  explosion  an  incoming  18-inch  high 
pressure  gas  pipeline  riser  was  damaged,  probably  by  falling  debris.  The  es- 
caping gas  collected  under  the  platform  and  resulted  in  an  enormous  explosion 
which  destroyed  most  of  the  platform. 

The  Piper  Alpha  accident  received  extensive  worldwide  press  attention  and 
initiated  a  public  inquiry  conducted  by  Lord  Cullen.*  The  recommendations  from 
the    Cullen   report   will   have    a   profound   effect   on   offshore    operations  and 
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regulatory  practices  in  the  United  Kingdom  North  Sea. 

The  proposed  changes  will  most  likely,  in  time,  ripple  through  the  entire  off- 
shore industry  and  result  in  changes  in  the  way  operational  safety  is  regulated 
on  a  worldwide  basis. 

The  Cullen  report  makes  106  recommendations  designed  to  improve  offshore  safety. 
The  United  Kingdom  government  has  adopted  these  recommendations  in  their  entirety 
and  expects  to  implement  them  as  soon  as  possible. 

Significant  recommendations  include: 

o  The  implementation  of  a  system  of  Formal  Safety  Assessments  (FSA) ,  similar 

to  that  being  used  offshore  Norway.  In  this  system  the  operator  will  be 
required  to  demonstrate  that  the  Safety  Management  System  (SMS)  of  the 
company  and  the  installation  are  adequate  to  assure  that  the  design  and 
operation  of  the  platform  and  its  equipment  are  safe. 

o  A  requirement   for   a   safe   refuge   on   the  platform   to  provide  temporary 

protection  to  personnel  during  an  emergency. 

o  Process  control,    i.e.   not  just  monitoring,    from  a  central  control  room 

manned  around  the  clock. 

o         Better  training  of  personnel  in  the  permit-to-work  system. 

o         A  single  regulatory  organization  for  offshore  safety. 

o  A  requirement  that  emergency  shutdown  valves  be  located  on  platform  risers 

and  that  these  valves  be  protected  in  some  fashion  from  damage. 

5 .  Minor  Accidents 

The  databases  mentioned  earlier  provide  a  rich  source  of  statistical  material 
which  can  be  used  to  determine  the  causes  and  sources  of  offshore  platform 
accidents . 

An  analysis,  for  instance,  of  the  fires  and  explosion  category  reveals  that  an 
inordinate  number  of  accidents  are  caused  during  welding  activities.  With  this 
knowledge  measures  can  be  taken  by  the  regulators  and/or  industry  to  enforce 
safety  regulations  and/or  prohibit  certain  activities. 

6 .  Lessons  Learned 

What  have  we  learned  from  these  major  accidents? 
6.1      Structural  Platform  Failures 

Platform  collapse  due  to  environmental  conditions  no  longer  appears  to  be  a 
problem.      As   shown  on  Figure   1   the  current  average   annual  probability  of  a 


187 


structural  failure  is  less  than  2  x  10"''  and  appears  acceptable.  That  is  not  to 
say  that  this  rate  may  not  again  increase  in  the  future  as  platforms  get  older. 
The  average  age  of  platforms  in  the  Gulf  of  Mexico  is  15  years  and  twenty  percent 
of  the  platforms  are  25  years  or  older. ^° 

Most  platforms  are  designed  for  a  25  year  life  because  that  is  usually  the  es- 
timate of  the  economic  life  of  the  underlying  oil  reserves.  In  practice  the 
economic  life  is  usually  much  longer  because  of  conservatism  in  estimating 
reserves  and/or  the  discovery  of  additional  reserves.  Unless  the  older  platforms 
are  upgraded  and/or  properly  maintained  the  structural  failure  rate  may  increase. 
In  fact,  the  structural  failures  identified  in  Figure  1  for  the  most  recent  five 
year  period  were  two  older  structures  that  had  not  been  maintained  properly. 
Regulations,  as  well  as  industry  standards,  are  addressing  this  potential  problem 
by  mandating  periodic  underwater  inspections. 

6.2      Explosions  and  Fires 

Explosions  and  fires  are  the  principal  hazard  to  offshore  facilities.  Over  the 
period  from  1956  through  1986  a  total  of  779  incidents  involving  an  explosion 
and/or  fire  occurred  on  platforms  in  federal  waters  around  the  United  States. 
Based  on  the  accumulated  platform  years  this  relates  to  an  average  annual 
probability,  Ff,  of  an  explosion  or  fire  happening  on  a  platform  of  about  1.5 
percent.  These  incidents  resulted  in  the  loss  of  three  platforms.  The  annual 
probability  of  experiencing  an  explosion  or  fire  is  shown  on  Figure  2. 

There  is  no  clear  evidence  on  this  chart  of  any  improvement  from  earlier  years. 
This  is  probably  because  until  the  early  1970 's  minor  accidents  were  not 
reported.  Even  so,  when  investigating  the  last  decade,  there  is  no  apparent 
improvement  despite  regulatory  and  industry  efforts  to  improve  safety  and 
personnel  training. 

It  is  quite  possible  that  one  of  the  reasons  for  the  lack  of  improvement  is  the 
fact  that  production  facilities  are  getting  older.  As  mentioned  above,  some 
twenty  percent  of  the  platforms  in  the  Gulf  of  Mexico  are  25  years  or  older.  It 
is  reasonable  to  expect  that  most  of  the  facilities  are  of  the  same  vintage  and 
over  the  years  have  suffered  from  wear  and  tear.  In  some  cases  the  equipment  and 
the  safety  systems  are  obsolete. ^° 

Figure  3  displays  the  worldwide  accident  rate  of  platform  explosions.  This  chart 
shows  a  rate  that  is  an  order  of  magnitude  lower  than  the  United  States 
experience  shown  on  Figure  2-'^°.  This  seems  puzzling  until  it  is  realized  that 
Figure  2  includes  all  fires  and  explosions  and  Figure  3  includes  only  those 
incidents  classified  as  serious  accidents. 

It  points  out  the  necessity  of  careful  analysis  of  the  data  between  databanks  to 
be  certain  that  one  is  comparing  apples  and  apples  and  not  apples  and  oranges. 

From  Figure  3  it  is  clear  that  there  has  been  a  significant  improvement  in  the 
rate  of  serious  accidents,  which  are  defined  as  damage  to  one  or  more  modules 
and/or  damage  exceeding  $2  million. 
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6.3  Blowouts 


There  has  been  a  significant  improvement  in  the  blowout  accident  rate  from  fixed 
offshore  platforms  on  a  worldwide  basis^°.  Total  platform  losses  due  to  a  blowout 
have  decreased  from  an  average  annual  rate  of  3  x  10~*  during  the  1970  to  1979 
period  to  a  rate  of  0.2  x  lO"''  during  the  1980  to  1989  period. 

The  chart  in  Figure  3  shows  the  annual  frequency  of  blowouts  causing  serious 
damage,  i.e.  damage  to  modules  and/or  costing  more  than  $  2  million.  The  most 
recent  rates  show  substantial  improvement  over  the  1979  to  1983  period. 

This  improvement  is  attributed  to  stricter  regulations  and  to  training  re- 
quirements for  all  drilling  personnel. 

The  improvement  in  platform  drilling  accidents  is  not  matched,  however,  by  mobile 
drilling  units  where  the  accident  rate  over  the  same  period  has  hardly  changed. 
There  is  no  good  explanation  for  this  difference. 

7 .  Summary 

Major  offshore  accidents  receive  a  large  amount  of  publicity  and  are  instrumental 
in  enacting  new  and/or  revised  industry  standards  and  governmental  regulations. 
The  paper  discusses  major  accidents  that  have  occurred  during  the  past  two 
decades  and  the  effect  that  these  accidents  have  had  on  improving  the  reliability 
of  offshore  operations.  The  paper  also  discusses  the  importance  of  analyzing 
minor  accidents  that  are  not  in  the  news  through  the  use  of  databanks. 
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Figure  1.  Average  annual  failure  rate  of  offshore  platforms  in  United  States 
federal  waters  from  environmental  hazards. 
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Figure  2.  Average  annual  fire  and/or  explosion  incident  rate  on  offshore 
platforms  in  United  States  federal  waters. 
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Figure  3.  Worldwide  average  rate  of  platform  blowouts  and  explosions 

causing  severe  damage. 

(After  Bekkevold) 
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BRIEF  REVIEW  OF  THE  OREDA  PROJECT 


Torkell  Gjerstad 
Technica  Group,  Norway 
and 

Hans  J0rgen  Grundt 
Den  norske  stats  oljeselskap  a.s 
(Statoil) ,  Norway 

ABSTRACT 

The  OREDA  Project,  established  in  1981,  has  become  one  of  the  main  sources 
of  equipment  reliability  data  for  Oil  &  Gas  Exploration  and  Production 
activities.  In  its  first  phase,  the  project  produced  the  Handbook  of 
Offshore  Reliability  Data.  The  data  collected  in  the  second  phase  was  made 
available  to  OREDA  members  in  the  form  of  a  computerized  database  system. 
Today,  OREDA  has  entered  into  its  third  phase,  and  the  project  scope  has 
been  extended  to  include  new  equipment  classes  and  detailed  maintenance- 
related  information.  OREDA  has  thus  extended  its  applicability  from  safety 
and  reliability  assessment  to  maintenance  and  operations  optimization.  The 
quaility  of  the  information  collected  has  also  increased  dramatically 
since  the  first  phase  of  the  project. 

Following  a  summary  of  OREDA  Project  highlights,  the  review  briefly 
describes  the  need  for  reliability  data  in  E&P  operations.  The  scope  of 
the  OREDA  Phase  II  data  base  is  reviewed  using  the  equipment  class  "pumps" 
as  an  example.   Finally,   some  thoughts  on  the  future  of  OREDA  are  given. 

NOTE:  The  views  expressed  herein  does  not  necessarily  represent  the 

views  of  all  OREDA  Project  members. 

1.         Brief  History  of  the  Oreda  Project 

In  the  OREDA  Project,  a  number  of  oil  &  gas  companies  make  data  from  their 
maintenance  records  and  log  books  available  for  in-depth  analysis  by  their 
competitors.  When  OREDA  was  founded  in  the  early  eighties,  this  concept 
was  generally  considered  impossible,  for  a  number  of  reasons.  Firstly, 
most  companies  had  a  general  skepticism  towards  giving  other  companies 
access  to  their  internal  files.  Secondly,  there  was  a  fear  that  revealing 
details  on  the  reliability  of  equipment  could  cause  difficulties  with  the 
manufacturers  of  the  equipment  involved.  And  finally,  the  industry  had  not 
yet  fully  accepted  the  many  benefits  which  quantitative  assessments  of 
reliability,   safety  and  maintenance  brings  to  E&P  operations. 

Despite  widespread  skepticism,  a  pre-project  had  been  launched  in  1980, 
with  the  purpose  of  identifying  data  requirements  for  risk  and  reliability 
studies,  and  the  adequacy  of  existing  failure  and  repair  statistics  within 
company  records.  The  results  of  the  pre-project  were  promising,  and  a 
number  of  oil  &  gas  companies  decided  to  join  the  first  formal  phase  of 
the  project,   running  from  1983  to  1984. 
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The  purpose  of  Phase  I  was  clearly  defined:  To  collect  data  from  offshore 
production  and  exploration  activities,  and  compile  them  into  a  Handbook  of 
Offshore  Reliability  Data.  The  data  collection  exercise  was  indeed  a  tough 
job  for  those  involved,  but  the  Handbook  turned  out  to  be  a  great  success. 
More  than  1000  copies  were  sold  world  wide. 

Following  Phase  I,  a  thorough  review  was  made  of  the  problems  OREDA 
encountered  in  its  first  phase.  One  company  decided  to  leave  the  project, 
but  the  remaining  7  members  decided  to  launch  OREDA  Phase  II  in  1987.  The 
scope  of  the  project  was  adjusted  as  follows: 

—  Data  should  only  be  collected  on  production— critical  equipment 

—  Emphasis  should  be  on  quality  rather  than  quantity 

—  The  data  should  be  installed  in  a  PC-based  system  '  • 

—  Accessibility  should  be  restricted  to  OREDA  member  companies 

The  results  of  Phase  II  was  a  PC-based  system  with  1623  inventories  and 
8424  failure  reports,  supplied  with  basic  application  programs  for  data 
analysis . 

We  are  now  almost  one  and  a  half  year  into  Phase  III  of  the  project.  All 
companies  who  participated  in  Phase  II  are  still  members,  and  3  more 
companies  joined  the  organisation  in  1990.  Phase  III  has  adopted  the 
following  objectives: 

—  Increased  commitment  to  data  quality  and  relevance 

—  Increased  number  of  equipment  inventories,   in  particular  safety 

related 

—  Inclusion  of  a  new  Maintenance  Database 

—  Cooperation  with  manufacturers  of  critical  equipment 

—  Significant  software  improvements 

—  World-wide  marketing  of  the  OREDA  Software 

—  Cooperation  with  other  organizations 

—  Preparation  for  partially  automated  experience  transfer  in  Phase  IV 
The  ten  Phase  III  participants  are: 

BP  Petroleum  Dev.  Ltd.  Norway 

Norsk  Agip  A/S 

A/S  Norske  Shell 

Norsk  Hydro  A/S  * 

Saga  Petroleum  A/S 

Den  norske  stats  oljeselskap  A/S  (Statoil) 


196 


Total  Oil  Marine  p.l.c 
Elf  Aquitaine 

Phillips  Petroleum  Co.  Norway 
A/S  Norsk  Esso 


2.        The  Need  for  Reliability  Data  in  E&P  Activities 

Equipment  failure  is  of  major  concern  in  E&P  operations,  as  well  as  in 
most  other  industries.  Equipment  failure  is  one  of  the  main  reasons  for; 

—  Investment  in  redundant  equipment  (instead  of  single  train  options) 

—  Larger  facilities  (e.g.  living  quarters  and  support  structures) 

—  Equipment  modifications 

—  Safety  hazards  during  operations  . 

—  Large  production  losses 

—  High  maintenance  costs 

—  Increased  cost  of  engineering  activities 

Since  the  recent  oil  crises,  cost  containment  has  been  universally 
accepted  in  the  oil  &  gas  industry.  With  the  advancement  of  reliability 
engineering  and  project  management  methods,  simple  and  reliable  concepts 
have  also  gained  substantial  ground.  In  fact,  even  the  objective  to 
minimize  total  cost  over  the  life  of  the  plant  is  now  seriously  being 
considered  by  many  companies  in  the  industry.  The  trends  are  therefore 
very  interesting  from  the  reliability  and  maintenance  specialist's  point 
of  view,  representing  not  only  methodological  challenges,  but  a 
substantial  challenge  in  terms  of  data  availability  and  data  quality. 


In  most  OREDA  member  companies,  maintenance  optimization  and  reliability 
studies  have  become  an  integral  part  of  engineering  design  and  plant 
operation.  High  quality  data  are  needed: 

—  To  select  the  most  suitable  manufacturers  and  models 

—  To  identify  dominating  failure  modes 

—  To  understand  the  failure  mechanisms  involved 

—  To  optimize  maintenance  strategies  and  maintenance  parameters 

—  To  make  cost-efficient  decisions  on  modifications  and  replacement 

—  To  pinpoint  areas  of  excessive  maintenance  workload 

—  To  enable  comparison  of  operational  performance  with  other 

operators 

—  To  provide  manufacturers  with  required  feedback  for  future 

improvements 

Very  few  of  these  tasks  can  be  achieved  with  reasonable  accuracy  without 
sufficient  availability  of  high  quality  reliability  and  maintenance  data, 
a  fact  well  known  to  the  OREDA  sponsors. 
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The  consequences  of  using  poor  data  could  be  manifold,  ranging  from 
inaccurate  or  misleading  assessment  of  risk  to  costly  over-design  and 
ineffective  use  of  risk  reducing  measures.  Figures  1  and  2  illustrate  some 
possible  characteristics  of  the  data  quality  problem. 

Figure  1  is  an  illustration  of  a  lifetime  trend  in  failure  frequency  for 
one  particular  equipment.  The  data  is  specific  and  not  of  generic  type, 
but  can  still  be  misleading  if  the  estimate  of  failure  frequency  is  based 
on  mean  value  over  the  observation  period.  Trend  analysis  and  equipment 
specific  data  is  required  to  identify  the  substantial  reliability 
improvement  seen  in  such  cases,  and  the  reason  for  the  improvement.  How 
often  is  this  type  of  data  available  to  the  analyst? 

Figure  2  is  an  illustration  of  the  distribution  in  failure  frequency  of 
different   valves    performing    the    same    function.    An   analysis   based  on 
averages  (or  weighted  averages)   is  bound  to  be  misleading,  whatever  the 
purpose  of  the  study.  How  often  is  this  type  of  generic  data  still  used  as 
basis  for  important  engineering  and  operational  decisions? 
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Figure  1:  A  shift  in  failure  frequency 


3.         OREDA  Data  Collection  Procedures 

Commitment  to  data  quality  means  that  detailed  and  unambiguous  data 
collection  procedures  have  to  be  developed  and  agreed  upon.  Among  the  most 
important  lessons  OREDA  learned  in  the  previous  project  phases,  are: 
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Figure  2:  Variability  in  failure  frequency  among  individual  samples 


1)  A  well  defined  format  for  data  collection  is  essential 

2)  "On-line"  guidance  to  the  individual  data  collector  on  procedure 
interpretation  is  required 

3)  No  compromises  must  be  accepted  with  respect  to  data  completeness 
and  correctness 

4)  Operator's  personnel  must  be  available  to  answer  questions 

5)  Data  quality  is  expensive  -  in  particular  when  data  is  collected 
from  free  format  records 

To  further  ensure  the  required  data  quality  in  Phase  III  of  the  project, 
the  following  requirements  have  been  adopted: 

—  Equipment  shall  not  be  included  in  the  inventory  if  the  manufacturer 
has  released,  or  is  about  to  release,  a  new  model  with  significantly 
improved  reliability.  This  constraint  extends  to  auxiliary  equipment 
within  the  system  boundaries 

—  Failure  events  shall  not  be  added  to  existing  inventories  if  the 
dominant  failure  mode(s)  are  associated  with  auxiliary  equipment, 
and  if  replacement  of  the  auxiliary  equipment  with  other  models  or 
makes  are  likely  to  improve  reliability  performance  significantly 

—  Data    shall    only    be    collected    for    equipment    models  currently 
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considered  in  new  projects  by  one  or  more  of  the  OREDA  Participants 


—  Longer  observation  periods  —  if  possible  complete  life  cycles  — 
shall  be  preferred  to  a  larger  number  of  shorter  observation  periods 

—  All  equipment  shall  be  uniquely  identified  and  assessed  for 
relevance  and  availability  of  data  before  data  collection  can  start 
within  each  equipment  class 

4.        Oreda  Database  Inventories 

The  Phase  II  database  has  the  following  inventories: 


SYSTEM  TYPE 

NUMBER  OF 
INVENTORIES 

NUMBER  OF  FAILURE 
REPORTS 

PUMPS 

278 

3152 

COMPRESSORS 

50 

1639 

GAS  TURBINES 

109 

2611 

VESSELS 

329 

438 

HEAT  EXCHANGERS 

170 

118 

VALVES 

645 

427 

SUBSEA  EQUIPMENT 

42 

39 

Additional  Phase  III  inventories  are: 

—  Expander/recompressors 

—  Electrical  generators 

—  Fire  &  gas  detectors 

—  Instrument  switches/process  sensors 

An  increased  amount  of  data,  of  higher  quality  and  relevance,  will  be  collected 
in  Phase  III. 


5 .         Oreda  System  Breakdown 

The  following  definitions  apply: 

SYSTEM:  Typically  corresponding  to  Tag  numbers 

SUB-SYSTEM:  An  assembly  of  units   that  provides   a  specific 

function  required  for  the  system  to  achieve  its 
intended  performance 
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MAINTAINABLE  ITEM: 


An  item  that  constitute  an  assembly  of  parts  that 
are  normally  the  lowest  indenture  level  during 
maintenance 


Some  examples  illustrate  this  breakdown: 


Example 


Level  I : 


System 


Pump 


Level  II: 


Subsystems 


Starting  system 
Drive  unit 
Gearbox  or  drive 
Pump 

Control  &  monitoring 
Lubrication  system 
Miscellaneous 


Level  III:     Maintainable  items 


Tank 
Pump 


Filter 
Cooler 


Valves  &  piping 
Unknown 


This  level  of  detail  is  required  in  most  cases  for  detailed  systems  optimization 
and  operational  considerations. 


The  Inventory  Report,  uniquely  associated  with  each  database  item,  has  the 
following  general  information  (compulsory  fields  preceded  by  asterisk  ("*"): 


•k 

Report  number 

*. 

Reported  by  (name  and  date  -  dd/ram/yy) 

•k 

Checked  by  (name  and  date  -  dd/mm/yy) 

■k 

Source  (or  source  reference) 

•k 

Installation  name 

■k 

Item  name 

•k 

Company  tag  number 

-k 

Company  sub-tag  numbers  (if  any) 

•k 

Taxonomy  code  (coded) 

k 

Function  (coded) 

•k 

Manufacturer/supplier/package  vendor 

Manufacturer  of  control  system 

k 

Model/type 

•k 

Redundant  subsystems 

Operating  mode  (coded) 

-k 

Operational  time  (hours)   (&  calculation  method  if  estimated) 

•k 

Calendar  time  (hours) 

Number  of  demands/starts 

6. 


Inventory  Data 
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*  Date  installed  (dd/nun/yy) 

*  Dates  of  major  replacements  (replacement  options  coded) 

In  addition,  each  equipment  class  (system)  has  a  number  of  specific  data 
associated  with  them.  As  an  example,  the  pump— specif ic  inventory  datafields  are 
listed  below: 

*  Type  of  driver  (coded) 

*  Fluid  handled  (coded) 

Fluid  corrosiveness/erosiveness  (coded) 

*  Power  (Kw) 

Utilization  of  capacity  (%  of  normal  operating/design  capacity) 

*  Suction  pressure  (barg) 

*  Discharge  pressure  (barg) 
Speed  (RPM  or  strokes/min) 
Number  of  stages 

Body  type  (coded) 
Shaft  orientation  (coded) 
Shaft  sealing 
Transmission  type  (coded) 
Pump  coupling 

*  Environment  (coded) 

*  Maintenance  program  (coded) 

*  Instrumentation  (coded) 
Pump  cooling 

Bearing  (coded) 
Bearing  support  (coded) 
Additional  information 

Note  that  a  large  number  of  the  data  elements  are  important  in  maintenance 
optimization,  as  well  as  in  design  optimization.  Other  entries  are  provided  in 
order  to  identify  the  equipment  when  working  on  a  generic  level. 

Also  note  the  high  number  of  compulsory  fields  and  the  many  coded  entries. 
Compulsory  fields  and  coded  entries  are  a  "must"  if  high  database  quality  shall 
be  maintained.  .' 

Examples  of  coded  entries  in  the  inventory  report  with  particular  importance  to 
maintenance  optimization  are  listed  below. 

MAINTENANCE  PROGRAM  TYPES 

Periodic  parts  replacement.  One  or  more  parts  of  the  item  is  replaced  with  a  new 
or  completely  overhauled  item  .  c 

Minor  periodic  service  with  limited  extent  of  opening 

Periodic  inspection/opening  of  limited  extent 

Major  inspection/overhaul  of  comprehensive  extent  with  extensive  disassembly  and 
replacement  of  worn  and/or  life-limit  parts 
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Periodic  functional  test 


Condition  monitoring 
INSTRUMENTATION  DATA  -  PUMPS 

Data  on  the  extent  and  type  of  instrumentation  within  a  system  boundary  is 
important  when  comparing  data  from  different  operators,  and  when  merging  data 
into  generic  figures.  OREDA  include  the  following  instrumentation  details: 

Process  parameters:  Temperature/Vibration/Flow/Speed/Pressure 

Application:  Trip/Control/Indication 

Options:  Critical,     Single    channel,     Simplex,     High  integrity 

protection.  Redundant 

6 .         Failure  Event  Report  Form 

The  standardized  Failure  Report  Form  is  shown  below.  The  high  number  of 
compulsory  and  coded  entries  is  a  characteristic  also  of  this  part  of  the 
database. 

*  Report  number  (default  sequence  number) 

*  Inventory  report  number  (default) 

*  Reported  by  (name  and  date  -  dd/mm/yy) 
Source 

*  Failure  mode,   system  level  (coded) 

*  Subsystem(s)  failed  (coded) 

*  Failure  descriptor  attributes  (Euredata  classification) 

*  Maintainable  item(s)   (one  or  more  -  coded) 
Repair  activity  (coded) 

*  Failure  detected  date  (dd/mm/yy  hh:mm) 
Active  repair  time  (hours) 

Downtime  (hours) 

*  Restoration  manhours  (hours) 

*  Method  of  observation  (coded) 
Additional  information 

Correlations  have  been  developed,  using  statistical  regression,  to  convert 
manhours  to  active  repair  time  where  the  latter  is  unknown.  These  correlations 
are  normally  very  accurate  when  used  on  single,  individual  installations.  The 
active  repair  time  is  used  both  for  dead-time  calculations  and  in  systems 
availability  assessments. 

Examples  of  coded  entries  in  the  Failure  Report  with  particular  importance  to 
maintenance  optimization  are  listed  below.  The  observation  method  data  is  also 
valuable  when  considering  measures  to  prevent  certain  failure  modes  from 
occuring . 
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REPAIR  CODES 


Examples 


Restore 


Repack,  weld,  tighten,  plug,  reconnect 


Replace 


Replace  a  worn-out  bearing 


Modify 


Install  a  filter  with  a  smaller  mesh  diameter,  replace  a 
sensor  with  another  make 


Ad j  us  t 


Align,  set  and  reset,  calibrate,  balance 


Refit 


Polish,  clean,  grind,  paint,  coat 


Combination 
Unspecified 

OBSERVATION  METHOD 

Periodic  preventive  maintenance/inspection 

Functional  testing 

Condition  monitoring 

Alarms  and  trips 

Manual  observation 

Unknown 


7.        The  Future  of  OREDA 

The  OREDA  Project  is  gaining  increased  support  in  its  own  environment  -  the  Oil 
6c  Gas  Exploration  and  Production  industry.  The  majority  of  North  Sea  operators 
have  already  joined  the  organization,  and  the  policy  shift  apparent  in  Phase  III 
makes  cooperation  with  other  industries  an  interesting  option.  Ongoing 
negotiations  with  a  major  American  group  of  companies  involving  exchange  of 
technology  and  software  is  a  direct  result  of  this  new  policy.  Recently,  a  Work 
Group  within  the  Oil  &  Gas  Industry  E  &  P  Forum  recommended  its  members  to 
consider  joining  the  OREDA  project. 

Other  important  achievements  in  the  next  few  years  could  be  in  the  following 
areas : 

—  Increased  cooperation  with  equipment  vendors 

—  Enhancement    of    OREDA' s    capabilities    to    handle    hydrocarbon    leak  and 
ignition  data 
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Increased  capability  for  standardized,  coded  failure  reporting  in 
computerized  maintenance  management  systems 


—         Built  in  error  checking  at  different  levels  -  both  in  the  maintenance 
systems  and  in  OREDA 

The  work  carried  out  by  the  oil  &  gas  industry  in  the  OREDA  Project  will  continue 
to  be  of  significant  importance  -  to  ensure  safe  and  reliable  operations,  as  well 
as  to  assist  in  the  continuing  effort  to  optimize  the  operations  of  the 
facilities . 
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DATA  COLLECTION  ON  HYDROCARBON  LEAKS  AND  IGNITIONS 
THE  E&P  FORUM  APPROACH 


Torkell  Gjerstad 
Technica  Group ,  Norway 

ABSTRACT 

This  paper  describes:  the  objectives  and  approach  of  an  Exploration  and 
Production  (E&P)  Forum  study  aimed  at  providing  the  oil  industry  with  data  on 
hydrocarbon  releases  and  ignition;  and  methods  to  improve  these  and  other  high 
priority  data. 

1 .  Introduction 

This  paper  serves  as  a  theme  paper  to  the  Working  Group  on  Experience  Data  Bases 
and  Case  Study  Analyses  at  the  above  Workshop.  It  is  based  on  a  proposal  prepared 
by  Technica  for  the  Exploration  and  Production  (E&P)  Fortom  in  London  (U.K.). 
Based  on  this  proposal,  Technica  has  been  awarded  the  contract  to  develop 
Guidelines  for  Data  Collection  on  Hydrocarbon  Releases  and  Ignition,  and  to  set 
up  an  initial  data  base  for  such  information.  These  Guidelines  will  be  available 
in  the  fall  of  1991. 


2.  Objectives 

The  objectives  of  the  E&P  Forum  study  are  to  provide  the  oil  industry  with 
reliable  and  well  documented  frequency  data  on  hydrocarbon  (HC)  releases  and 
ignition,  as  well  as  to  provide  methods  to  continuously  improve  these  and  other 
high  priority  data  through  collection  and  analysis  of  oil  companies'  internal 
experience  records.  Hence,  there  are  two  key  deliverables  from  the  study: 

a.  Guidelines  for  Data  Collection:  to  enable  E&P  Forum  members  to 
collect  HC  release  and  ignition  data,  and  other  high  priority  data, 
on  a  format  compatible  with  OREDA. 

b.  QRA  Data  Base:  a  compilation  of  presently  available  frequency  data 
on  HC  releases  and  ignition  for  use  in  Quantified  Risk  Assessment 
(QRA)  studies. 

3 .  Approach 

Any  data  collection  scheme  to  obtain  high  quality  frequency  data  must  aim  to  find 
the  right  balance  between  the  feasibility  of  obtaining  information  and  the 
efforts  required  to  collect  it  on  one  side,  and  on  the  other  side  the  use  and 
benefits  from  applying  the  data  in  probabilistic  analyses.  There  will  invariably 
be  a  potential  conflict  between  the  reporting  unit,  wishing  to  minimize  the 
efforts  required  in  collecting  the  information,  and  the  risk  analyst,  wishing  to 
have  available  detailed,  reliable  data  obtained  from  a  wide  experience  base.  A 
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key  part  of  this  study  must  be  to  find  the  right  balance,  based  on  an  agreed 
level  of  ambition  between  E&P  Forum  members  and  a  thorough  understanding  of  the 
critical  data  requirements  in  QRA  studies  and  how  frequency  data  quality  will 
affect  the  results  from  such  studies. 

3.1      Areas  of  Particular  Importance 

There  is  a  significant  difference  between  collecting  reliability  data  (e.g. 
OREDA)  and  leak/ignition  data  for  a  process  unit.  Reliability  data  can  be 
extracted  from  Maintenance  Information  Systems  (MIS)  in  which  repair  intervention 
actions  are  recorded  for  maintenance  optimization,  spares  planning,  etc.  Hence, 
very  rigorous  reporting  systems  are  usually  in  place  for  this  purpose  with  most 
operators.  Reliability  data  collection  is  therefore  a  matter  of  utilizing 
information  which  already  exists,  originally  recorded  for  other  (main)  purposes. 

Leak  and  ignition  data  collection  will  mainly  be  based  on  special  records, 
established  for  the  particular  purpose  of  recording  such  events  and  monitoring 
their  frequency  of  occurrence.  Hence  the  type  of  failure  mode  ("external  leak") 
is  always  well  defined,  but  the  records  may  not  reflect  the  criticality  of  the 
event.  This  is  in  most  cases  determined  by  the  leak  rate.  Consequence 
calculations  in  QRA  studies  require  leak  rates  to  be  specified  in  kilograms  per 
second,  but  this  parameter  can  not  be  observed  when  the  leak  occurs. 
Consequently,  qualitative  categories  like  "minor  leak",  "major  leak"  and 
"rupture"  are  used  to  describe  the  event,  and  this  information  is  later 
transferred  into  quantitative  categories  when  performing  data  analysis  in  a  QRA 
context.  The  uncertainty  associated  with  leak  rate  estimates  is  therefore 
considerable  in  present  QRA  data  bases. 

Sensitivity  studies  have  demonstrated  that  the  risk  results  can  be  very  dependent 
on  the  hole  size  distribution,  i.e.  the  fractions  of  all  leaks  from  a  particular 
process  segment  which  fall  within  a  certain  leak  rate  category.  This  study  should 
aim  to  reduce  the  uncertainty  in  this  area,  by  exploring  ways  in  which  leak  rate 
categories  can  be  determined  with  higher  accuracy.  The  recording  and  analysis  of 
gas  detector  responses  could  provide  a  way  forward:  by  linking  gas  readings  to 
a  simplified  gas  dispersion  consideration,  it  may  be  possible  to  "back  calculate" 
the  rate  of  HC  release. 

Another  aspect  which  distinguishes  leak  and  ignition  data  collection  from 
reliability  data  collection  is  the  fact  that  a  significant  proportion  of  the 
events  are  caused  by  human  intervention,  and  do  not  result  from  equipment 
failures  per  se.  Maintenance  intervention,  modification  works,  etc.  contribute 
perhaps  more  than  50  percent  of  the  significant  leaks,  and  are  also  an  important 
source  of  ignition.  This  is  another  reason  why  maintenance  records  are  an 
unreliable  source  of  information  for  HC  leaks  and  ignition.  However,  these 
records  do  provide  information  on  the  level  of  human  intervention,  which  may  be 
used  to  analyse  the  effect  of  such  activities  on  the  frequency  of  leaks  and  the 
probability  of  ignition. 

Just  as  it  is  important  to  quantify  the  leak  rate,  it  is  also  necessary  to 
establish  a  cut-off  criterion  for  leaks  to  be  reported.  Very  minor  leaks  from 
process  equipment  happen  all  the  time.  Many  minor  leaks  are  not  picked  up  by 
detectors,  but  are  identified  by  process  operators  and  other  platform  personnel 


208 


who  hear  the  sound  of  a  release.  A  recent  survey  in  the  Norwegian  sector  carried 
out  for  the  Norwegian  Oil  Industry  Association  (OLF)  and  the  OFS  offshore  workers 
union  revealed  that  only  69  (25  percent)  out  of  a  total  of  272  gas  leaks  had  been 
reported  to  the  Norweg  ian  Petroleum  Directorate  (NPD) .  Most  of  the  272  leaks  were 
picked  up  by  the  gas  detection  system.  This  result  clearly  indicate  the  need  to 
agree  on  common  criteria  for  when  a  gas  release  should  be  reported.  The  very 
small  leaks  may  not  be  of  interest  in  QRA  work,  since  they  are  too  small  to  have 
a  major  hazards  potential.  Data  collection  and  analysis  must  therefore  ensure 
that  such  small  "bleeds"  are  left  out  or  accounted  for  separately. 

The  E&P  Forum  study  must  also  address  the  recording  of  equipment  inventories . 
i.e.  the  number  and  size  of  equipment  containing  hydrocarbons.  Typical  examples 
are  the  length  and  diameter  of  piping  and  risers,  the  number  of  centrifugal  gas 
compressors,  etc.  Two  basic  approaches  are  available:  a  "parts  count"  approach 
in  which  each  operator  would  have  to  record  the  number  of  each 
equipment/component  class,  or  a  "modularised"  approach  in  which  inventory 
information  is  kept  at  an  integrated  level,  i.e.  gas  compressor  train,  first 
stage  separation,  etc.  The  parts  count  approach  provide  more  detailed  information 
with  better  scope  for  detailed  data  analyses,  but  this  approach  is  also  the  one 
requiring  somewhat  larger  efforts  from  each  operator.  We  anticipate  that  the  Work 
Group  may  nevertheless  prefer  this  approach,  since  compatibility  with  OREDA  is 
desirable  (ref .  sample  from  OREDA  III  Data  Collection  Guideline  circulated  from 
E&P  Forum) . 

An  ignition  probability  is  required  in  risk  analysis  to  calculate  the  frequency 
of  fires  and  explosion  based  on  the  leak  frequency  on  a  platform.  Ignition 
probability  can  be  defined  in  different  ways,  depending  on  how  the  value  is  used 
in  the  analysis. 

In  early  risk  analysis,  the  ignition  probability  has  often  been  made  a  fixed 
value,  based  on  the  leak  rate.  The  value  could  be  dependant  on  leak  location  on 
the  platform  to  account  for  the  presence  of  more  or  less  ignition  sources  (hot 
work,  rotating  equipment,  etc.).  If  explosions  were  included  in  the  analysis, 
then  a  separate  probability  had  to  be  included  for  late  ignition. 

A  different  approach  is  to  make  ignition  probability  a  function  of  gas  cloud  size 
(a  larger  gas  cloud  will  engulf  more  potential  ignition  sources) .  This  approach 
has  the  advantage  that  the  real  mechanisms  of  ignition  (i.e.  that  the  gas  reaches 
an  ignition  source)  can  be  described  more  realistically.  Relevant  design 
features  of  the  platform  can  then  also  be  included  in  the  analysis  in  a  more 
consistent  way,  especially  the  ventilation  regime. 

From  the  moment  that  a  leak  occurs,  gas  will  start  spreading  through  a  module. 
The  gas  cloud  caused  by  a  leak  is  therefore  not  of  a  constant  shape  and  volume, 
but  changes  over  time.  The  ignition  probability  will  therefore  vary  with  time 
as  well.  The  size  of  the  gas  cloud  will  have  an  effect  on  the  magnitude  of  the 
explosion  pressure  when  ignition  occurs. 

The  ignition  modelling  has  therefore  direct  impact  on  the  results  of  a  risk 
analysis  when  explosion  modelling  is  taken  into  account. 

It  is  obvious  that  not  everybody  has  the  tools  or  capacity  to  perform  an  in-depth 
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analysis  of  explosion  risk.  However,  a  choice  can  be  made  to  develop  a  database 
which  permits  a  more  advanced  analysis  to  be  performed.  At  the  same  time  a 
derived  result  may  have  to  be  developed  that  can  be  used  in  simpler  analyses. 
A  number  of  example  runs  for  a  typical  platform  could  be  performed  to  provide  a 
set  of  data  for  such  a  simple  analysis. 

3.2      Data  Base  Development 

The  setting  up  of  a  QRA  data  base  for  HC  leak  frequencies  and  ignition 
probabilities,  based  on  presently  available  data  will  provide  a  very  good 
starting  point  for  establishing  the  data  collection  Guideline.  Most  of  the  data 
base  work  should  therefore  be  done  up  front  of  the  Guideline  work,  as  indicated 
in  the  sequencing  outlined  in  the  enquiry  document  from  E&P  Forum. 

The  simplest  approach  to  providing  a  QRA  data  base  for  E&P  Forum  members  would 
be  for  Technica  to  present  its  standard  failure  data  handbook.  However,  we  are 
convinced  that  the  E&P  work  group  members  would  like  to  take  advantage  of  the 
opportunity  to  share  their  experience  data,  and  to  undertake  some  analyses  to 
enhance  the  understanding  of  inventory  release  and  ignition  mechanisms. 

We  see  the  most  important  sources  of  information  to  be  the  following: 

1.  In-house  Technica  sources: 

a)  TEDARES  (Technica 's  Data  Reference  System) 

b)  BLOWOUT  (Technica' s  blowout  data  base) 

2 .  Confidential  sources  (with  a  very  good  chance  of  obtaining  access  for  this 
proj  ect) : 

c)  E&P  Forum  members  in-house  data  sources 

d)  OLF's  Gas  Release  Data  Base 

e)  NPD's  Riser  &  Pipeline  Data  Base 

f)  NPD's  Production  Upsets  Data  Base 

g)  OREDA 

3.  Sources  in  the  public  domain: 

h)  Worldwide  Offshore  Accident  Databank  (WOAD) 

This  list  does  not  preclude  the  inclusion  of  other  relevant  sources  in  the  study. 

The  initial  activity  will  be  to  collect  and  review  leak  and  ignition  data  from 
the  above  sources.  We  would  at  an  early  stage  work  with  the  E&P  Forum  Work  Group 
members  to  obtain  access  to  the  confidential  sources,  and  to  establish  adequate 
procedures  for  maintaining  confidentiality  requirements  which  may  be  imposed. 

A  HC  inventories  taxonomy  will  be  developed,  based  on  common  offshore  systems 
design.  We  would  aim  to  establish  a  taxonomy  which  is  structured  in  accordance 
with  the  Work  Group  members'  systems  classification  schemes,  in  order  to  match 
as  far  as  is  practicable  the  experience  records  for  leak  and  ignition  incidents. 
The   taxonomy  developed  here  will   also  be   the  basis    for   the   data  collection 
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Guidelines  to  be  established  in  this  study. 


A  draft  structure  for  the  HC  taxonomy  is  giveri  below: 

1.  Drilling/Completion  (operations) 

2.  Well  systems  (including  interventions  in  the  production  phase) 

3.  Flowlines  &  Well  Testing 

4.  Separation 

5.  Dehydration 

6.  Gas  Compression 

7.  Metering 

8.  Slowdown  &  Flaring 

9.  Risers  &  Pipelines  (including  pigging  units) 

10.  Crude  Storage 

11.  Offshore  Loading 

12.  Misc.  Production  Systems  (e.g.  condensate  injection,  drain  systems, 
etc . ) 

A  possible  modification  to  this  taxonomy  structure  would  be  consider  "generic" 
items  like  piping  segments,  instrument  connections,  valves,  flanges,  etc. 
separately  from  the  above  items.  This  would  be  necessary  if  a  parts  count 
approach  to  estimating  leak  frequencies  for  a  particular  platform  concept  is 
required.  The  above  taxonomy  items  would  then  be  used  for  special  items  only, 
e.g.  item  #7  would  include  orifice  plates,  whereas  valves  and  instrument 
connections  used  in  metering  stations  would  be  included  under  the  generic 
classes.  A  decision  on  the  best  taxonomy  structure  will  be  made  in  discussions 
with  Work  Group  members,  taking  into  account  the  results  of  the  data  analysis  as 
well.  The  aim  must  be  to  establish  a  taxonomy  which  is  suitable  for  QRA  purposes 
and  is  practical  for  data  collection  purposes. 

The  collected  data  will  be  analyzed  to  identify  the  most  important  parameters 
influencing  the  leak  frequencies  and  ignition  probabilities.  It  will  be  important 
to  be  aware  that  higher  leak  frequencies  are  often  associated  with  particular 
equipment  problems ,  and  that  the  problem  can  be  fixed  once  it  has  been  brought 
to  the  operators  attention.  An  example  of  such  a  problem  is  the  use  of 
inappropriate  gaskets,  causing  numerous  leaks  before  the  gaskets  were  replaced 
by  a  different  type.  Knowledge  of  this  sort  of  problems  will  be  particularly 
important  when  analyzing  Work  Group  members'  data  files. 

The  data  analysis  will  also  aim  to  establish,  if  possible,  simple  correlations 
between  leak  and  ignition  data  and  high-level  design  parameters,  e.g.  number  and 
type  of  platform  modules,  natural  vs.  mechanical  ventilation,  etc. 

The  ignition  probability  is  a  function  of  leak  size  and  more  particularly  of  the 
size  of  the  gas  cloud  resulting  from  the  leak  (see  3.1).  Ideally  one  would 
therefore  want  to  know  the  exact  release  rate  for  each  historic  leak,  the  leak 
direction,  ventilation  characteristics,  module  description,  etc.,  to  be  able  to 
simulate  all  parameters  and  find  their  significance  for  the  ignition  probability. 
However  that  would  be  a  task  of  too  great  an  extent  to  produce  results  within  the 
time  frame  for  this  exercise. 

Rather  than  to  use   a  brute   force  technique   in  which  a  multitude  of  data  is 


211 


collected,  we  suggest  concentrating  the  efforts  on  areas  where  the  fastest 
results  can  be  produced.  This  suggested  approach  is  based  on  the  fact  that  a 
leak  rate  is  easier  to  estimate  for  an  ignited  leak  than  for  an  unignited  one. 
In  addition,  in  risk  analysis  one  is  mostly  interested  in  ignited  leaks  rather 
than  unignited  ones. 

The  way  to  find  realistic  ignition  data  will  therefore  be  to  analyze  a  number  of 
historical  fires  in  more  detail.  Given  that  the  accident  descriptions  are 
reasonably  detailed,  it  should  be  possible  to  estimate  the  leak  rate  based  on  the 
fire  size  (for  ignited  releases  it  is  more  likely  that  a  detailed  accident  report 
is  available  than  for  unignited  leaks) .  For  explosions  one  could  spent  some  time 
to  analyze  the  descriptions  of  gas  detector  recordings  and  also  make  a  better 
founded  judgement  of  leak  size.  With  maybe  20  to  50  accident  descriptions  one 
would  therefore  expect  that  a  reasonably  realistic  leak  size  distribution  can  be 
developed  for  ignited  releases. 

In  order  to  be  able  to  develop  a  frequency  of  ignited  releases  (by  leak  size)  one 
needs  to  have  a  suitable  platform  population  data  set  as  well.  We  envisage 
therefore  that  E&P  forum  makes  a  list  available  of  platforms  where  the  level  of 
accident  reporting  over  a  specified  period  is  good.  For  those  platforms  (or  a 
selection  of  platforms  from  the  available  population)  accident  descriptions  of 
ignited  releases  will  be  analyzed  as  indicated  above.  The  platforms  must  be 
classified  according  to  a  suitable  scheme,  in  order  to  make  a  proper  description 
of  the  available  population.  The  classification  is  likely  to  take  into  account 
factors  like  the  amount  of  processing  on  the  platform  (e.g.  No.  of  separation 
stages/trains,  compression,  etc.)  and  the  ventilation  regime  on  the  platform 
(mechanical  vs  natural) . 

From  the  sources  on  leak  frequency  data,  it  will  be  possible  to  obtain  a 
reasonable  estimate  of  the  leak  frequency  for  each  platform  class.  With  a 
suitable  ignition  model,  the  frequency  distribution  of  ignited  leaks  can  now  be 
used  together  with  the  leak  frequency  for  deriving: 

-  the  hole  size  distribution 

-  the  ignition  probability  per  leak  size 

The  methodology  is  thus  expected  to  cover  the  two  factors  that  contribute  most 
to  the  uncertainty  in  risk  analysis  data. 

The  HC  release  frequency  and  ignition  probability  data  will  be  presented  in  the 
form  of  a  document,  tailored  to  the  use  in  QRA  studies.  This  document  will  be  the 
best  available  source  of  such  data  in  the  offshore  industry.  It  will  contain  leak 
frequencies,  hole  size  distributions  and  ignition  probabilities  for  the  taxonomy 
items . 

The  data  base  will  meet  the  following  requirements: 

-  Data  from  public  sources  will  be  traceable. 

-  Confidential  data  supplied  by  E&P  members  and  other  companies  will 
not  identify  the  data  source  (i.e.  generic  data). 
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-  The  data  will  be  presented  in  a  format  which  makes  future  updating 
possible  once  data  from  E&P  members  are  routinely  reported  and 
analysed. 

3.3      Data  Collection  Guidelines 

The  objective  of  the  E&P  Forum  initiative  is  to  ensure  that  future  reporting  from 
members  will  result  in  a  high  quality  QRA  data  base.  Since  it  is  commonly 
recognised  that  present  experience  records  do  not  provide  an  adequate  basis  for 
deriving  such  high  quality  data,  the  E&P  Guidelines  for  data  collection  should 
aim  to  improve  the  current  standard  of  HC  release  and  ignition  incident 
reporting.  The  Guidelines  should  also  address  other  high  priority  data  such  as 
F&G  detection,  fire  water  systems,  safety  valves,  blowdown  systems,  etc. 

The  OREDA  Data  Collection  Guideline  provides  a  very  useful  input  to  this  part  of 
the  work.  These  Guidelines  have  evolved  since  the  first  phase  of  OREDA  in  1983, 
and  are  therefore  based  on  considerable  experience  collecting  reliability  data. 
It  is  at  the  same  time  important  to  keep  in  mind  the  differences  between  leak  and 
ignition  incident  reporting  and  reliability  data  collection,  ref.  Section  3.1 
above.  We  envisage  the  Guidelines  would  be  developed  in  three  stages: 

3.3.1.  Taxonomy  Definition 

3.3.2.  Inventory  Data  Collection 
3.3.3    Incident  Data  Reporting 

Each  of  these  are  discussed  below. 

3.3.1  Taxonomy  Definition 

The  taxonomy  for  the  Guidelines  will  be  based  on  the  taxonomy  developed  for  the 
initial  data  base  on  HC  leaks  and  ignition,  but  extended  to  include  other  high 
priority  items  which  do  not  relate  to  leak  and  ignition  events  by  themselves.  The 
taxonomy  should  as  far  as  is  practicable  follow  the  OREDA  taxonomy  structure. 
This  will  be  particularly  relevant  for  the  priority  items  which  generally  relate 
to  component  categories  similar  to  OREDA,  and  for  which  data  can  be  collected 
from  maintenance  information  systems.  It  may  also  be  useful  to  revisit  the 
initial  OREDA  taxonomy  from  1983,  which  contained  about  the  double  number  of 
items  to  those  presented  in  the  OREDA  Handbook.  Those  discarded  were  items  for 
which  no  reliability  data  could  be  found. 

An  outline  taxonomy  for  HC  inventory  items  is  given  in  Section  3.2  of  this 
proposal.  This  would  initially  be  detailed  out  with  reference  to  E&P  members' 
incident  reporting  systems  and  to  the  OREDA  taxonomy.  As  discussed  in  Section 
3.2,  it  will  be  important  at  this  stage  to  agree  on  the  taxonomy  structure:  we 
believe  the  most  appropriate  approach  would  be  to  separate  out  generic  equipment 
categories  like  flanges  and  piping  segments,  and  to  reserve  the  special 
categories  for  items  such  as  orifice  plates,  pig  receivers,  pressure  safety 
valves,  etc.  It  should  be  noted  that  the  final  data  base  could  be  made  in  such 
a  way  that  high-level  leak  frequencies  and  ignition  probabilities  on  a  per  module 
or  per  system  basis  could  be  derived  automatically  from  pre-determined,  generic 
modules  or  system  configuration  (note  spreadsheet  analogy) .  This  would  be  very 
useful    for    early    stage    QRA    purposes,     when    little    detail    about  system 
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configuration  is  available. 


3.3.2  Inventory  Data  Collection 

We  envisage  that  the  inventory  data  collection  scheme  for  the  E&P  QRA  data  base 
could  largely  be  based  on  the  OREDA  system,  i.e.  with  a  two— level  approach:  one 
set  of  general  information,  applicable  to  all  items,  and  one  set  containing 
specific  information  relating  to  each  individual  taxonomy  item.  The  two  sets 
would  be  developed  to  be  fully  compatible  with  OREDA. 

There  is  some  additional  information  which  is  relevant  to  leaks  and  ignition 
incidents,  and  which  should  be  considered  for  inclusion  in  the  Guideline.  This 
relates  to  the  local  conditions  in  the  area  where  the  equipment  is  located: 

—  Module/Area  geometry  and  volume 

—  Ventilation  conditions 

—  Distance  to  safe  areas  and  hot  surfaces  or  open  flames 

—  Gas  detector  type  and  location 

—  Volume  of  hot  work,  modification  works,  etc. 

The  latter  information  on  activity  levels  is  important  since  it  is  a  fact  that 
very  many  significant  HC  releases  occur  as  a  result  of  human  intervention  and  not 
as  result  of  spontaneous  equipment  failures.  It  is  in  our  experience  not 
straightforward  to  collect  this  type  of  information,  and  we  need  to  agree  with 
the  Work  Group  whether  collection  of  this  information  should  be  limited  to  a  "per 
platform"  basis  rather  than  a  "per  module/area". 

3.3.3  Incident  Data  Reporting 

This  part  of  the  Guideline  should  also  take  the  OREDA  system  as  a  starting  point, 
in  order  to  ensure  compatibility.  The  main  difference  as  far  as  HC  release  events 
is  concerned  is  that  the  failure  mode  is  predefined:  "external  leak".  Wliereas  the 
OREDA  failure  report  concentrates  on  the  failure  mode  and  the  repair  activity, 
the  E&P  report  will  have  to  address  the  incident  itself  and  its  consequences  in 
much  more  detail. 

Apart  from  the  information  required  by  OREDA  (which  we  will  not  repeat  here) ,  we 
propose  to  consider  the  following  information  as  part  of  the  reporting  format: 

Leak  Description: 

—  equipment/part  leaking 

—  rate  (preferably  estimated  as  kg/s) 

—  duration 

—  means  for  isolating  the  leak  (closing  valve,  empty  inventory,  etc.) 

—  cloud  size 

—  means  for  detection  (visual,  noise,  smell,  detector) 

—  gas  detector  readings  ( inside/outside  area) 

—  HC  medium  (could  be  inventory  information) 

—  production  shut-down  time  (if  any) 

—  time  of  the  day 

—  number  of  people  present  in  the  area 
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—  operation  in  progress  in  the  area  (wireline,  hot  work,  etc.) 

—  wind  direction  and  speed  (natural  ventilation) 

—  ventilation  rate  (mechanical  ventilation) 

It  will  be  a  particular  challenge  to  establish  principles  for  determining  the 
leak  rate.  As  discussed  previously,  the  leak  rate  can  not  be  observed,  and  must 
therefore  be  derived  from  other  parameters.  Possible  options  include  gas  detector 
readings  and  leak  hole  size,  from  which  a  more  accurate  leak  rate  in  kg/s  may  be 
determined.  The  feasibility  of  using  such  an  approach  must  be  discussed  with  the 
Work  Group . 

It  is  of  interest  to  record  the  number  of  people  present  in  the  area  when  the 
leak  occurs,  since  most  QRA  work  combines  leak  consequences  with  the  number  of 
people  present  to  estimate  the  number  of  casualties  in  the  area.  An  average 
personnel  distribution  is  commonly  used  for  this  purpose,  but  this  may  not  be 
appropriate  if  more  than  half  of  the  leaks  are  caused  by  human  intervention. 

The  wind  direction  and  speed  should  be  recorded  when  a  leak  occurs  in  a  naturally 
ventilated  module,  since  the  ventilation  rate  through  the  module  will  be 
determined  by  these  factors  (and  the  module  geometry  recorded  as  inventory 
information) . 

Leak  Causes 

Hardware  causes  of  releases  may  be  classified  as  in  OREDA,  using  the  Failure 
Descriptor.  It  may  be  appropriate  to  add  some  information  about  the  leak  path, 
since  this  will  improve  the  understanding  needed  to  assess  the  leak  rate. 

Human  factors  related  causes  may  be  classified  at  different  levels  of  detail  and 
root  cause  back— tracking .  We  would  propose  to  avoid  as  far  as  is  practicable 
simply  using  "human  error"  to  describe  an  incident,  since  this  is  not  a  piece  of 
information  which  tends  to  focus  on  constructive  mitigating  measures.  It  would 
be  preferable  to  employ  a  cause  classification  scheme  relating  to  e.g. 
"Inadequate  procedure",  "communication  error",  "violation  of  procedure", 
"inadequate  labelling",  etc.  Technica  will  use  its  Human  Factors  expertise  to 
establish  proposed  classifications,  based  on  a  review  of  incident  data. 

Ignition  Description 

—  time  delay 

—  ignition  point  (relative  to  leak  source) 

—  overpressure 

—  explosion  suppression  agent  (e.g.  halon,   if  used) 

—  fire  duration 

—  fire  extinguishing  method/agent 
Ignition  Source 

—  leak  induced 

—  static  electricity 

—  hot  surface 

—  open  flame 
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-  faulty  EX  equipment 

-  gas  in  safe  area 

-  hot  work 

-  other  human  activities  (e.g.  smoking) 

The  incident  reporting  form  will  be  produced  in  a  format  compatible  with  OREDA. 
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Ralph  Ainger 

Minerals  Management  Service 
381  Elden  Street 
Suite  1109,  MS  6300 
Herndon,  VA  22070-4817 

Larry  Albaugh 
ARCO 

P.O.  Box  2819 
Room  DAB  32-100 
Dallas,  TX  75087 

Alex  Alvarado 

Minerals  Management  Service 
1201  Elmwood  Park  Boulevard 
MS  5232 

New  Orleans,  LA  70123 
Frank  Amato 

Shell  Offshore  Incorporated 
701  Poydras  Street 
Rm  2682 

New  Orleans,  LA  70130 
Carl  Anderson 

Minerals  Management  Service 
381  Elden  Street 
Herndon,  VA  22070 

Kenneth  Arnold 

Paragon  Engineering  Service 

13939  Northwest  Freeway 

Suite  201 

Houston,  TX  77040 

Bilal  Ayyub 

University  of  Maryland 
Department  of  Civil  Engineering 
Room  155,   Engineering  Bldg. 
College  Park,  MD  20742 

Hugh  Banon 

Exxon  Production  Research 
P.O.  Box  2189 
Houston,  TX  77252-2189 

Alan  Barnardo 
Santa  Fe  Drilling  Company 
1000  S.   Fremont  Ave 
Alhambra,   CA  91802-4000 


John  Baxter 

American  Bureau  of  Shipping 
45  Eisenhower  Drive 
Paramus,  NJ  07653-0910 

Robert  G.  Bea 

Department  of  Naval  Architecture 
202  Naval  Architecture 
University  of  Calif. 
Berkeley,  CA  94720 

P.C.  Birkemoe 
University  of  Toronto 
35  St.  George  Street 
Toronto,  GB213 
CANADA 

Cornells  Boshuizen 
T.D.  Williamson,  Inc. 
8506  East  61st  Street 
Tulsa,  OK  74133 

Adam  T.  Bourgoyne 
Louisiana  State  University 
3526  SEBA  Building 
University  Station 
Baton  Rouge,  LA  70803 

James  Breaux 

Shell  Offshore,  Incorporated 
P.O.  Box  61122 
Room  2002 

New  Orleans,  LA  70161 
J.M.  Campbell 

John  M.  Campbell  6e  Company 
1215  Crossroads  Boulevard 
Norman,  OK  73069 

Linda  Castano 

Minerals  Management  Service 
1201  Elmwood  Park 
MS  5412 

New  Orleans,  LA  70123 

Jacob  Chacko 

R.J.  Brown  &  Associates 

2010  N.  Loop  West 

Suite  200 

Houston,  TX  77018 
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Youl-Nan  Chen 

American  Bureau  of  Shipping 
45  Eisenhower  Drive 
Paramus,  NJ  07653-0910 

Aylmer  Cheng 

Amoco  Production  Company 
P.O.  Box  3092 
Room  606  W2 
Houston,  TX  77253 

Clive  Christensen 
Gas  Council  (Exploration)  Ltd. 
More  Cambe  Field  Man 
Support  Base 

North  Quay,  Heysham  LA3  ZUH 
UNITED  KINGDOM 

C.  Allin  Cornell 
Stanford  University 
Department  of  Civil  Engineering 
Terman  Engineering  C 
Stanford,  CA  94305-4020 

Elmer  Danenberger 
Minerals  Management  Service 
381  Elden  Street 
Herndon,  VA  22070 

J .  Frank  Davis 
Shell  Oil  Company 
Box  2463 
Room  4248  OSP 
Houston,  TX  77252 

Reggie  Davis 

Phillips  Petroleum  Company 
6330  W.  Loop  Street 
Houston,  TX  77401 

Rabi  De 

Shell  Development  Company 
3737  Bellaire  Boulevard 
Room  BRC  2248 
Houston,  TX  77025 


Thomas  Dunaway 
Minerals  Management  Service 
770  Paseo  Camarillo 
Camarillo,  CA  93010 

G .  Edwards 
Shell  Research 
Engineering  Research  Dept. 
P.O.  Box  60 
Rijswik  (Z-H) 
THE  NETHERLANDS 

Robert  Folse 
Chevron  U.S.A.,  Inc. 
P.O.  Box  61590 
New  Orleans,  LA  70161 

Paul  Frieze 

Paul  A.  Frieze  &  Associates 
18  Strawberry  Vale 
Strawberry  Hill 
Twickenham 
UNITED  KINGDOM 

J.G.  Galloway 

Exxon  Production  Research  Co. 
3120  Buffalo  Speedway 
Room  S-344 
Houston,  TX  77036 

Terry  N.  Gardner 
Exxon 

P.O.  Box  2189 
Houston,  TX  77036 

Edward  Gerber 

John  Brown  E&C 

7909  Parkwood  Circle  Drive 

Houston,  TX  77036 

A.  Donald  Giroir 
Minerals  Management  Service 
1201  Elmwood  Park  Boulevard 
917E/5200 

New  Orleans,  LA  70123-2394 


Frank  Dello  Stritto 

Mobil  Research  &  Development  Corp, 

13777  Midway  Road 

Dallas,  TX  75244-4312 


Torkell  Gjerstad 

Technica  a.s 

Norsea  Base,  Cusavik 

P.O.  Box  138 

4001  Stavanger 

NORWAY 
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John  Gregory 

Minerals  Management  Service 
381  Elden  Street 
Herndon,  VA  22070 

Brian  Griffin 
The  Bercha  Group 
250,  1220  Kensington 
Calgary,  Alberta,  T2N  3P5 
CANADA 

Richard  Habrat 
Minerals  Management  Service 
770  Paseo  Camarillo 
Camarillo,  CA  93010 

Robert  Hale 

Canada,  Nova  Scotia  Offshore 

Petro.  Board 
1791  Barrington  Street 
64  TD  Center 
Halifax,  B3J3K9 
CANADA 

Martha  Halperin 

Bureau  of  National  Affairs 

1231  25th  St. ,  NW 

Room  S-310 

Washington,  DC  20037 


David  Halsey 

Minerals  Management  Service 
381  Elden  Street 
Herndon,  VA  22070 

Jed  Hamilton 
Exxon 

P.O.  Box  2189 
2GP-907 

Houston,  TX  77252 

Steve  Harding 
Exxon 

P.O.  Box  2189 
Houston,  TX  77252 

N.  Colin  Harris 
John  Brown  E6eC 
P.O.  Box  1432 
Stamford,  CT  06430 


Bill  Hauser 

Minerals  Management  Service 
381  Elden  Street 
MS  4800 

Herndon,  VA  22070 

Bernie  Herbert 
Amoco  Production  Company 
1340  Poydras  Street 
New  Orleans,  LA  70112 

Don  Howard 

Minerals  Management  Service 
1201  Elmwood  Park  Boulevard 
308/MS  5250 

New  Orleans,  LA  70123-2394 
Harold  W.D.  Hughes 

U.K.  Offshore  Operators  Association 
3  Hans  Crescent 
London  SWIX  OIN 
UNITED  KINGDOM 

Gary  R.  Imm 
Amoco 

4502  East  41st  Street 
P.O.  Box  3385 
Tulsa,  OK  74102 

Maher  Ibrahim 

Minerals  Management  Service 
381  Elden  Street 
Suite  1109,  MS  6100 
Herndon,  VA  22070-4817 

Jack  Johnson 

Shell  Offshore  Incorporated 
701  Poydras  Street 
Room  2682 

New  Orleans,  LA  70130 
Gregory  Jones 

Brown  &  Root  USA  Incorporated 
P.O.  Box  4574 
Room  91,  3SW32D 
Houston,  TX  77210-4574 

Carol ita  Kallaur 
Minerals  Management  Service 
381  Elden  Street 
MS  4030 

Herndon,  VA  22070 
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Demir  Karsan 
Conoco ,   Inc . 
P.O.  Box  2197 
Room  DU-2092 
Houston,  TX  77252 

William  Kazokas 
Arco  Oil  and  Gas  Co. 
1601  Bryan  Street 
Room  DAB-28132 
Dallas,  TX  75201 


Andrew  Kendrick 

ECS  Power  Systems  Inc. 

150  Isabella  Street 

Ottawa,  KIS  5A3 

CANADA 

Bruce  Kerlin 
Chevron  U. S .A. ,  Inc. 
P.O.  Box  61590 
New  Orleans,  LA  70161 

Frank  Kern 

Exxon  Company,  U.S.A. 

P.O.  Box  60626 

New  Orleans,  LA  70160 

William  Koerner 

Exxon  Production  Research 

P.O.  Box  2189 

NW  608 

Houston,  TX  77252-2189 
I .  Kogan 

Faculty  of  Civil  Engineering 
Israel  Institute  of  Tech. 
Technion  City,  Haifa  32000 
ISRAEL 

Francis  D.  Koop 
Phillips  Petroleum 
704  Winding  Way 
Barlesville,  OK  74006 

Richard  Krahl 

Offshore  Consultative  Service 
11604  Chapel  Cross  W 
Reston,  VA  22094 


William  Krieger 

Chevron  Research  &  Technology  Co. 
Bishop  Ranch  6,  K1082 
2400  Camino  Ramon 
San  Ramon,  CA  94583 

Yilmaz  Kuranel 
Minerals  Management  Service 
University  Plaza  Boulevard 
949  East  36  Ave. ,  99 
Anchorage,  AK  99508 

William  Lamport 
Unocal 

376  South  Valencia  Avenue 
Brea,  CA  92621 

John  Lane 

Minerals  Management  Service 
770  Paseo  Camarillo 
Camarillo,   CA  93010 

Robert  Lanza 

Minerals  Management  Service 
1201  Elmwood  Park  Boulevard 
MS  5221 

New  Orleans,  LA  70123 

Richard  Larrabee 
Shell  Oil  Co. 
Box  576 
Room  WCK5132 
Houston,  TX  77252 

Griff  C.  Lee 

Griff  C.  Lee,  Inc. 

P.O.  Box  70787 

New  Orleans,  LA  70172 

Poe  Leggette 

Jackson  &  Kelly 

1701  Pennsylvania  Avenue,  NW 

Suite  650 

Washington,  DC  20006 

Gregory  Lever 

Petro  Canada  Resources 

150-6  Avenue  S.W. 

Calgary,  T2P  3E3 

CANADA 
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Selantic  Industrier  A.S. 
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NORWAY 

James  R.  Lloyd 

Exxon  Production  Research 

3600  Richmond 

Two  Greenway  Plaza,   Suite  800 
Houston,  TX  77252 

Warren  Loch 

The  Borcha  Group 

Room  250 

1220  Kensington  Road,  N.W. 
Calgary,  Alberta,  T2N  3P5 
CANADA 

Bengt  Lydell 
NUS  Corporation 
16835  W  Bernardo  Drive 
Suite  202 

San  Diego,   CA  92127 
Sandy  MacMullin 

Nova  Scotia  Dept.   of  Mines  and 
Energy 

1701  Hollis  Street 
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CANADA 

Marc  A.  Maes 

Queen's  University 

Department  of  Civil  Engineering 
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CANADA 

James  Magill 
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Washington,  DC  20593 
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Minerals  Management  Service 
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David  McDonald 

Chevron  Research  &  Technology 
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P.O.  Box  5045 

San  Ramon,  CA  94583-0945 

Richard  McGannon 
Chevron  Corporation 
225  Bush  Street 
Room  1854 

San  Francisco,  CA  94104-4289 

Steven  Mclntyre 
American  Bureau  of  Shipping 
45  Eisenhower  Drive 
Paramus,  NJ  07653-0910 

Roy  L.  McKay 
Arco  Oil  &  Gas 
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Shell  Offshore  Incorporated 
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Houston,  TX  77252 
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